Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello,
I've made a module to test the clickjacking.
Verification
List the steps needed to make sure this thing works
msfconsole
use auxiliary/scanner/http/detect_clickjacking
In Msfconsole
msf auxiliary(detect_clickjacking) > run
[] XXX.XXX.XX.XXX:80 -Clickjacking testing in progress... [CONNECT]xxxx.fr:80]
[] XXX.XXX.XX.XXX:80 - Returns with '302' status code [CONNECT][xxx.fr:80]
[+] XXX.XXX.XX.XXX:80 - Potentially vulnerable to clickjacking [302][CONNECT]
|_X-Frame-Options:
[] Scanned 1 of 1 hosts (100% complete)
[] Auxiliary module execution completed
Best Wishes
`require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::WmapScanServer
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'clickjacking_detector',
'Description' => %q{
This module checks if a website is vulnerable to a clickjacking attack.
},
'References' =>
[
['URL', 'https://fr.wikipedia.org/wiki/D%C3%A9tournement_de_clic'],
],
'Author' => 'DRX_51',
'License' => MSF_LICENSE
))
end
def run_host(target_host)
end
def verify_target(target_host,target_port,target_method,check_url,target_clickjacking_headers)
end