© 2018 Caendra Inc.

| Hera for WAPTv3 | Other Attacks 1

In these Other Attacks labs, you can use techniques and attacks explained in the Other
attacks module of the course.

Once you are connected in VPN to the lab environment, all the web applications will be
available at the following URL: http://info.otherattacks.site/.

There are three main sections for each type of lab: Video, Lab, Challenges.

• Video section contains web applications used during video lessons. Therefore, if
you need any information about the scenario, the attacks and so on, please refer to
the corresponding video.
• Labs section contains web application where you can practice the techniques of the
specific module and have solutions. You can find them later in this manual
• Challenges labs do not have solutions; otherwise, why call them challenges? If you
study the course and think like a penetration tester, you will achieve the goal!

The best tool is, as usual, your brain. Then you may need of:

• Web Browser

Once you have your virtual network ready, configure the following IP address as default
DNS: 10.100.13.37

• WINDOWS: change the property of the TAP network device, adding as first DNS
server of the IP of the server.
• LINUX: add an entry into /etc/resolv.conf file with the IP address of the server

© 2018 Caendra Inc. | Hera for WAPTv3 | Other Attacks 2

Company eLSFoo is looking for acceptance and
popularity. To accomplish this, their web
engineers have decided to use the dishonest
clickjacking technique to trick the users into
clicking their Facebook Like button.

The page that will be used to steal the click is:

You can view it by accessing the document facebook.html

This battle is purely demonstrative and will show you a typical page that implements a
clickjacking attack. In this case, the clickjacking technique is common enough to have
another name: Likejacking.

You will not build a payload because it has already been built; you should only observe how
the attack has been accomplished from a bystander’s perspective. You’ll have to login to
Facebook to run the attack.

Perform a clickjacking attack on Facebook (Likejacking).

• How to the perform a clickjacking attack

© 2018 Caendra Inc. | Hera for WAPTv3 | Other Attacks 3

Please go ahead, only if you are really stuck or if you have
completed the labs.

© 2018 Caendra Inc. | Hera for WAPTv3 | Other Attacks 4

Open the document clickjacking.html. This malicious web page has been built by a
dishonest web developer in order to trick users into clicking the hidden Like on Facebook
button.

The malicious web page has been built by combining two different layers:

• The underlying layer contains the fraudulent Facebook Like button and is
completely hidden to the user.
• The overlaying layer contains the question Would you like to be the President of the
United States?, designed by the attacker with the only goal being to entice the victim
into pressing the Yes button.

For educational reasons, we have made the underlying layer slightly visible. Use the bar
(available on the same page) to hide it completely; this is what happens in real-world
attacks.

The victim will think they are pressing the Yes button but will really be clicking the Like on
Facebook button.

Let us see how this behavior has been crafted by looking carefully at the HTML source code
of the page.

The underlying layer is included in the document via an iframe (pointed to the
facebook.html page), while the overlaying layer is represented by standard HTML:

© 2018 Caendra Inc. | Hera for WAPTv3 | Other Attacks 5

The underlying layer is made transparent by the use of the opacity CSS property:

The dominant layer, although visible, is placed under the level of the other one by using the
z-index property set to -1. In this way, the Yes button, belonging to the dominant layer,
although visible, will not be clicked, because it is overlapped (due to the z-index
property) by the Facebook Like button, which is hidden, in the other layer.

Considering the z-index property and that the two layers completely overlap, any click on
the visible layer will actually be caught by the first layer.

So the attacker will think they are clicking on the Yes button but will really click on the
Facebook Like button, and the Likejacking attack is complete.

© 2018 Caendra Inc. | Hera for WAPTv3 | Other Attacks 6