Walker News

How To Reveal Hidden iframe And Identify Clickjacking Threat?

If you’re not using Firefox NoScript extension, the browser’s built-in function may be used to manually detect or find hidden iframe layered atop of visible button or clickable object, as well as display content of hidden iframe that helps to determine the risk of clickjacking threat.

The following screencast shows a clickjacking example found on Facebook Newsfeed and the primitive method used to check existence of hidden iframe atop of video playback button:



Using Google Chrome Developer Tools to find hidden iframe

Am skeptical about the video link appears on FB Newsfeed as the link is not of Facebook or any reputable video hosting sites that I know. Therefore, I copy the video link from IE9 (which I used to access FB) and open the copied hyperlink on Google Chrome.
It’s my practice of using different brand of web browser to open hyperlink found in online account, in order to minimize the risk of session riding or CSRF attack.

After the suspect link loaded on Google Chrome, there is a “video”. In order to confirm or verify that’s a real embedded video, just right click on its playback button and select “Inspect element” option – this open Google Chrome Developer Tools to display HTML code of the said object (that being right clicked).

As the screencast demos, there is a hidden iframe on top of the video playback button, which contains a link to activate Facebook Like plugin!

Using IE9 or Firefox 4 to find hyperlink of a hidden iframe

Both IE9 and Firefox 4 do not provide a convenient shortcut to display HTML code of specific web control, as what Google Chrome “Inspect element” option does. It’s easier to just display the hyperlink of the web control you’re about to click – right click on playback button and select Properties.

Similarly to Firefox 4, right click on the clickable object and look for “This Frame” (an obvious sign of a hidden iframe on top of the playback button) then select “View Frame Source” option.

Both of these browsers show same result and match with Google Chrome’s finding, i.e. click on the playback button is in fact click the FB Like button – if the suspect page is opened directly from FB Newsfeed, it will automatically perform social activity without prompting you to login FB (as the suspect page inherits right to access the FB session cookie).

Custom Search

2016  •  Privacy Policy