DoubleClickjacking (POC's)

This tool allows you to easily manipulate and test the positioning of the double click button on your target website. Adjust the parameters to ensure accurate detection of DoubleClickjackig.

This POC's is created based on the research of PAULOS YIBELO ref: https://www.paulosyibelo.com/

Description:

DoubleClickjacking is a new twist on traditional clickjacking attacks. Instead of relying on a single click, it exploits a double-click sequence to bypass established protections like the X-Frame-Options header or SameSite: Lax/Strict cookies. This novel technique has widespread implications, potentially impacting almost every website and enabling account takeovers on numerous major platforms.

Attack Flow:

DoubleClickjacking exploits a subtle flaw in timing and event sequencing:

The attacker creates an initial webpage with a button that either opens a new window or does so automatically.
When the user interacts with the button:
- A new window appears on top, prompting the user to "double-click."
- This new window uses window.opener.location to redirect the parent window to the target page.
At this point:
- The parent window displays the target page, while the top window still shows the double-click prompt.
When the user follows the prompt to double-click:
- The first click (triggered on mousedown) closes the top window.
- The second click, now targeting the parent window, unknowingly interacts with a sensitive element like an authorization button.

As a result, the user inadvertently grants the attacker’s application access to their account with arbitrary permissions.

How it can be exploited:

OAuth & API Permissions: Attackers could trick targets into authorizing a malicious application with extensive privileges. This technique has unfortunately led to account takeovers in almost every site that supports OAuth - which is pretty much all major websites with an API support. And even if by some miracle it is detected and the user tries to revoke the a malicious attacker app, it would already be too late since it could perform its malicious actions the instant it is authorized.
One-Click Account Changes: Similar to classic clickjacking, DoubleClickjacking can be used to make the user click on account-setting changes, such as disabling security settings, deleting an account, authorizing access or money transfers, or confirming transactions, etc.

POC's:

https://double-clickjacking-sibivasan.vercel.app/Safe.html

We have developed a tool to simplify testing for DoubleClickjacking.

Enter the URL: We have to provide the target website.

Up or Down: We have to provide the value to move the double click button Up or down.

Left: We have to provide the value to move the double click button Left.

Width: We have to provide the value to increase or decrease the width. Height: We have to provide the value to increase or decrease the height.

Thanks for Reading this blog :)

Last updated 10 days ago

DoubleClickjacking (POC's)

This tool allows you to easily manipulate and test the positioning of the double click button on your target website. Adjust the parameters to ensure accurate detection of DoubleClickjackig.

This POC's is created based on the research of PAULOS YIBELO ref: https://www.paulosyibelo.com/

Description:

Attack Flow:

DoubleClickjacking exploits a subtle flaw in timing and event sequencing:

The attacker creates an initial webpage with a button that either opens a new window or does so automatically.
When the user interacts with the button:
- A new window appears on top, prompting the user to "double-click."
- This new window uses window.opener.location to redirect the parent window to the target page.
At this point:
- The parent window displays the target page, while the top window still shows the double-click prompt.
When the user follows the prompt to double-click:
- The first click (triggered on mousedown) closes the top window.
- The second click, now targeting the parent window, unknowingly interacts with a sensitive element like an authorization button.

As a result, the user inadvertently grants the attacker’s application access to their account with arbitrary permissions.

How it can be exploited:

OAuth & API Permissions: Attackers could trick targets into authorizing a malicious application with extensive privileges. This technique has unfortunately led to account takeovers in almost every site that supports OAuth - which is pretty much all major websites with an API support. And even if by some miracle it is detected and the user tries to revoke the a malicious attacker app, it would already be too late since it could perform its malicious actions the instant it is authorized.
One-Click Account Changes: Similar to classic clickjacking, DoubleClickjacking can be used to make the user click on account-setting changes, such as disabling security settings, deleting an account, authorizing access or money transfers, or confirming transactions, etc.

POC's:

https://double-clickjacking-sibivasan.vercel.app/Safe.html

We have developed a tool to simplify testing for DoubleClickjacking.

Enter the URL: We have to provide the target website.

Up or Down: We have to provide the value to move the double click button Up or down.

Left: We have to provide the value to move the double click button Left.

Width: We have to provide the value to increase or decrease the width. Height: We have to provide the value to increase or decrease the height.

Thanks for Reading this blog :)

Last updated 10 days ago