To catch a hacker, you must think like a hacker. An attacker looks for ways to chain together multiple exploits into one large attack. What is often missed in this type of scenario is what happens when vulnerabilities are combined. Hackers usually chain 2 or more vulnerabilities together that leads to the compromise of a business. That is what we have recently found in one Canadian banking platform where Low severity self-XSS combined with clickjacking leading to account takeover.
During our testing, we have triggered Self-XSS as the website was also vulnerable to Clickjacking.
Self-XSS is a social engineering attack used to gain control of victims’ web accounts. In a self-XSS attack, the victim of the attack accidentally runs malicious code in his/her own web browser, thus exposing it to the attacker. This can be DOM-based or set in a field only settable and viewable by the one user.
Clickjacking is an attack that frames a website of a logged in user, typically sets the opacity of the frame to 0, and forces a victim to interact with their account, on a different website, unbeknownst to them. Clickjacking also called as UI Redressing, is one of Malicious Technique tricking users to click the button/image that will run hidden malicious script from another site.
An attacker can force users to paste XSS payloads into text fields framed from other domains. These frames can be redressed, made invisible, and overlayed on top of other UI elements, making the user think they’re interacting with another website.
What’s the Risk?
The attacker can steal cookies, inbox messages, change profile settings (phone numbers, emails, etc.), steal profile details, or perform other malicious actions. Basically, the attacker can take over the full account of the user.
Mitigation or Fix
Below are some protections, which should be done to prevent this attack.
- Use X-XSS Protection header
- Set X-Frame-Options header to deny (For Clickjacking)
- Use content security policy
- Always use the cookie as HTTP only
This combination is hard to automate and require human creativity to fully understand the potential impact. Discovery of the chained vulnerability requires manual testing; static/dynamic vulnerability testing is not sufficient.