Professional Documents
Culture Documents
Once you are connected in VPN to the lab environment, all the web applications will be
available at the following URL: http://info.otherattacks.site/.
There are three main sections for each type of lab: Video, Lab, Challenges.
• Video section contains web applications used during video lessons. Therefore, if
you need any information about the scenario, the attacks and so on, please refer to
the corresponding video.
• Labs section contains web application where you can practice the techniques of the
specific module and have solutions. You can find them later in this manual
• Challenges labs do not have solutions; otherwise, why call them challenges? If you
study the course and think like a penetration tester, you will achieve the goal!
The best tool is, as usual, your brain. Then you may need of:
• Web Browser
Once you have your virtual network ready, configure the following IP address as default
DNS: 10.100.13.37
• WINDOWS: change the property of the TAP network device, adding as first DNS
server of the IP of the server.
• LINUX: add an entry into /etc/resolv.conf file with the IP address of the server
This battle is purely demonstrative and will show you a typical page that implements a
clickjacking attack. In this case, the clickjacking technique is common enough to have
another name: Likejacking.
You will not build a payload because it has already been built; you should only observe how
the attack has been accomplished from a bystander’s perspective. You’ll have to login to
Facebook to run the attack.
The malicious web page has been built by combining two different layers:
• The underlying layer contains the fraudulent Facebook Like button and is
completely hidden to the user.
• The overlaying layer contains the question Would you like to be the President of the
United States?, designed by the attacker with the only goal being to entice the victim
into pressing the Yes button.
For educational reasons, we have made the underlying layer slightly visible. Use the bar
(available on the same page) to hide it completely; this is what happens in real-world
attacks.
The victim will think they are pressing the Yes button but will really be clicking the Like on
Facebook button.
Let us see how this behavior has been crafted by looking carefully at the HTML source code
of the page.
The underlying layer is included in the document via an iframe (pointed to the
facebook.html page), while the overlaying layer is represented by standard HTML:
The dominant layer, although visible, is placed under the level of the other one by using the
z-index property set to -1. In this way, the Yes button, belonging to the dominant layer,
although visible, will not be clicked, because it is overlapped (due to the z-index
property) by the Facebook Like button, which is hidden, in the other layer.
Considering the z-index property and that the two layers completely overlap, any click on
the visible layer will actually be caught by the first layer.
So the attacker will think they are clicking on the Yes button but will really click on the
Facebook Like button, and the Likejacking attack is complete.