1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Clickjacking using Base64 encoding. How they do this ?

Discussion in 'Web Design' started by blackmint, Jul 3, 2016.

  1. blackmint

    blackmint Power Member

    Joined:
    Jun 8, 2013
    Messages:
    656
    Likes Received:
    340
    Location:
    BHW
    Came across usercloud.com.
    when you click on download, it actually pops-up a new tab with base64 code which redirects to the same download page again and the original page is loaded with offers. you have to click 1 more time which does the same job.
    3rd time it takes you to the actual download.

    how to do this ?
    please share your thoughts

    Here is the example download page. hxxps://userscloud.com/hcm1xgxitlff
     
  2. 5zz

    5zz Newbie

    Joined:
    May 23, 2016
    Messages:
    45
    Likes Received:
    15
    I think you're wrong, I have not noticed any Base64 here. Nothing happens when you click on the "Download" button. What pops up is a standard pop-up(i.e. it pops up if you click anywhere)...
     
  3. blackmint

    blackmint Power Member

    Joined:
    Jun 8, 2013
    Messages:
    656
    Likes Received:
    340
    Location:
    BHW
    I'm not wrong.

    Somebody with experience, can you please have a look at it ?
     

    Attached Files:

  4. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    12,584
    Likes Received:
    34,697
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    • Thanks Thanks x 1
  5. 5zz

    5zz Newbie

    Joined:
    May 23, 2016
    Messages:
    45
    Likes Received:
    15
    It just doesn't open in my case, but... It opens a window/tab with that URL("data:text/html;base64,...") and your browser treats it as the response(decodes at first). This seems to bypass AdBlock, because it can only operate on HTTP protocol(i.e. URLs that start with "http(s)://").

    So if you want to do the same, write some HTML, encode it as Base64, and open a new window using the data URI.
    An example:
    HTML:
    HTML:
    <html><head><title>BHW</title></head><body><h1>123</h1></body></html>
    As Base64:
    Code:
    PGh0bWw+PGhlYWQ+PHRpdGxlPkJIVzwvdGl0bGU+PC9oZWFkPjxib2R5PjxoMT4xMjM8L2gxPjwvYm9keT48L2h0bWw+
    As data URI:
    Code:
    data:text/html;base64,PGh0bWw+PGhlYWQ+PHRpdGxlPkJIVzwvdGl0bGU+PC9oZWFkPjxib2R5PjxoMT4xMjM8L2gxPjwvYm9keT48L2h0bWw+
    Opening a window:
    HTML:
    <script>window.open('data:text/html;base64,PGh0bWw+PGhlYWQ+PHRpdGxlPkJIVzwvdGl0bGU+PC9oZWFkPjxib2R5PjxoMT4xMjM8L2gxPjwvYm9keT48L2h0bWw+')</script>
     
  6. blackmint

    blackmint Power Member

    Joined:
    Jun 8, 2013
    Messages:
    656
    Likes Received:
    340
    Location:
    BHW
    i got that part.
    what i didn't get is how to reload the same page in new tab and load the advertiser offers on main tab for 2 consecutive clicks.
    everything works perfect on 3rd click.
    You can't bypass this. i think it is a hidden iframe with jacking script.
     
  7. Grozzy

    Grozzy Newbie

    Joined:
    Jan 1, 2013
    Messages:
    17
    Likes Received:
    13
    Okey, so you hooked me on this and I dug deep.

    If you look at the HTML source you'll find a JavaScript snipped at line ~433. This is 'packed' JS code (hence the function name 'function(p,a,c,k,e,d)') that gets evaluated/executed once it loads.
    There are online tools for unpacking such code snippets, I used //matthewfl.com/unPacker.html and could then read the actual code, //pastebin.com/YRzxbYYX.

    What it does is that it dynamically loads the AD-script from //likablescaldfelted.info/ads/ads.js and then makes a DIV covering the whole view space. This DIV has an event listener that will fire when clicked.
    As for how they check whether it's the third time clicked or not it appears that they use a simple cookie :rolleyes:. You can find this in the unpacked code where the variable k gets declared.

    TL;DR:
    they use a cookie.
     
    • Thanks Thanks x 2