In response to my previous post on the importance of weaponization in exploit development and given that no solution to ClickJacking appears forthcoming in the new future, I hereby present a proof of concept for clickjacking.
The provisos:
- This example will clear your Facebook status if you click the link below
- This example uses no JavaScript, nor iframes - an object tag seems to circumvent NoScript according to this post
- You must already be logged-in to Facebook *BEFORE* you load this page and have a "status" set
- UPDATE: This is more tempremental than I feared - the length of your status will affect whether the link lines up. Back to the drawing board.
Here
Fairly malicious stuff, and it has already been illustrated by PlanB Security, but I feel this example is neater and doesn't involve a 2-click process.
The key seems to lie in a simple z-order setting and then setting style properties of your object/iframe to opacity:0;filter:alpha(opacity=0).
Some problems can occur because of the time indicator on status not lining up properly with the link - no time to fix it now, it seems to sit under my link most of the time :P
If it doesn't line up, it's probably hiding just to the left of the link.