Full Report
Jack is a tool I created to help build Clickjacking PoC’s. It uses basic HTML and Javascript and can be found on github, https://github.com/sensepost/Jack To use Jack, load Jack’s HTML,CSS and JS files using the method of your choice and navigate to Jack’s index.html. Jack comes with three additional pages; sandbox.html, targetLogin.html and targetRead.html. targetRead.html can be used to demonstrate Clickjacking that reads values from a page and sandbox.html is used to display the Clickjacking demonstration. Jack by default loads the “Read” html page with default CSS and Styles.
Analysis Summary
# Tool/Technique: Jack
## Overview
Jack is a utility created to facilitate the building of Proof-of-Concepts (PoCs) for Clickjacking attacks. It leverages basic HTML, CSS, and JavaScript to create overlays that trick users into clicking elements on a hidden, malicious iframe, which interacts with a legitimate target page.
## Technical Details
- Type: Tool
- Platform: Web (Client-side/Browser)
- Capabilities: Building Clickjacking PoCs, loading arbitrary target URLs, configuring overlay positions (X&Y) for inputs and buttons, styling overlay elements to blend with the target, and executing custom JavaScript payloads upon interaction.
- First Seen: September 15, 2014
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- **T1189 - Drive-by Compromise** (While Jack is used for PoC, the underlying mechanism of Clickjacking can lead to unauthorized actions.)
- **TA0006 - Credential Access**
- **T1003 - OS Credential Dumping** (If the clickjacking results in submission of credentials)
- **TA0010 - Collection**
- **T1119 - Data from Local System** (If sensitive data is read via the `targetRead.html` functionality)
## Functionality
### Core Capabilities
- **PoC Construction:** Uses HTML, CSS, and JavaScript to generate Clickjacking demonstrations.
- **Target Loading:** Can load any specified URL (e.g., Google Gruyere example: `https://google-gruyere.appspot.com/211539457592/`) into an iframe.
- **Element Mapping:** Allows precise configuration of X&Y coordinates for overlaying up to two input fields (like username/password) and one button over corresponding elements on the target page.
- **Viewing Demo:** Provides a "View" function to render the configured overlay against the loaded target in real-time.
### Advanced Features
- **Styling Blending:** Ability to inject custom CSS (`outline`, `box-shadow`, `border`, `height`, `width`, `background-color`, `font-family`, `font-size`) to make the malicious overlay elements visually indistinguishable from the legitimate target elements ("look #legit").
- **Payload Execution:** Includes an input box for specifying a custom JavaScript payload to be executed when the overlaid dummy button is clicked (demonstrated by displaying username/password inputs).
- **Output Generation:** Generates a final, self-contained demonstration page (`sandbox.html`) which includes the necessary elements and resources (`/static` and `/resources`) for local use or deployment on a web server.
## Indicators of Compromise
*Note: As Jack is a legitimate PoC tool, IoCs are related to its usage artifacts.*
- File Hashes: Not provided in the context.
- File Names: `index.html`, `sandbox.html`, `targetLogin.html`, `targetRead.html`.
- Registry Keys: N/A (Client-side web tool).
- Network Indicators: The tool itself does not exhibit C2 behavior; however, it necessitates loading a target URL (e.g., `https://google-gruyere.appspot.com/211539457592/`).
- Behavioral Indicators: Generating web pages that overlay opaque or transparent iframes over legitimate sites, especially on login or sensitive interaction forms.
## Associated Threat Actors
- The tool was developed by SensePost. No specific malicious threat actors are associated with it in this context; it is described as a utility for creating PoCs.
## Detection Methods
- **Signature-based detection:** Not generally applicable as it uses standard web technologies (HTML/JS). Detection focuses on the resulting malicious artifact.
- **Behavioral detection:** Monitoring for IFRAMEs loaded with the `frameborder="0"` or similar attributes, especially when attempts are made to manipulate the opacity or position of these IFRAMEs near sensitive interaction points.
- **YARA rules:** Not applicable.
## Mitigation Strategies
- Implement the **X-Frame-Options** HTTP response header set to `DENY` or `SAMEORIGIN`.
- Utilize the **Content Security Policy (CSP)** directive `frame-ancestors` to explicitly control which domains can embed the site in an iframe.
- Analyze user behavior for inputs that appear to be submitting data while the mouse cursor position does not align logic with the visible input controls.
## Related Tools/Techniques
- Clickjacking (General Technique)
- FrameBusting techniques (Used to defend against Jack's mechanism)
- Other Clickjacking PoC generators (e.g., though not explicitly mentioned, tools serving similar adversarial functions).