Hi Jack!

Reading time ~2 min

Posted by chris on 08 September 2015

Categories: Tools, Willemluvscuddles, Clickjacking, Hipsterlurv, Jack

No, this post is not about a Leon Schuster comedic skit from the early 90’s, YouTube reference here -> https://www.youtube.com/watch?v=JzoUBvdEk1k

To the point, once upon a time there was a tool called Jack which attempted to make ClickJacking PoC’ing a tad sexier and made it’s way to Black Hat EU 2015 Arsenal.

Some time has passed now since Jack was first released and was time for Jack to get some attention alas a new version of Jack has been released and can be found here, https://github.com/sensepost/jack .

The new release of Jack includes a whole new UI such that it is all Drag and Drop now with a single interface which makes those PoC’s for those dreaded reports a little easier. Jack’s source structure has also changed such that to run Jack, download the repo from Git and open “index.html” in your browser of choice and voila! The old UI of Jack is also available as “oldIndex.html”

Jack also includes a new payload option for custom JavaScript which you can provide and will be executed by the browser when Jack’s login button is clicked on the PoC page. Another little option in the new jack is that you can now save the PoC generated page and save the contents to be served by something like Apache just in case you want to take your PoC to the next level with malicious domains etc.

Selection_001 — Vanilla Jack loaded with no target but all “viewable” elements are Drag and Drop-able

Selection_002 — Google Gruyere used as target to be loaded into Jack with UI elements now Drag and Droppable

Selection_003 — Jack’s “View” of the current PoC with no custom styling

Selection_005 — PoC with custom styling and malicious elements to capture user credentials

Selection_004 — PoC “View” with custom styling.

Selection_006 — Complete configuration with custom styling and positioning of elements.

Our Blog