|
|
|
#!/usr/bin/env bash
|
|
|
|
|
|
|
|
if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
|
|
|
|
cat << 'EOF'
|
|
|
|
Usage: clickjacking url [outfile]
|
|
|
|
|
|
|
|
The script will use a headless version of firefox to screenshot a page containing the provided url in an iframe
|
|
|
|
|
|
|
|
This script will create a firefox profile called headless to create the screenshot with
|
|
|
|
EOF
|
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
# Name of firefox binary
|
|
|
|
firefox="firefox"
|
|
|
|
# If firefox developer edition is installed, use that instead
|
|
|
|
type "firefox-developer-edition" 2>&1 >/dev/null && firefox="firefox-developer-edition"
|
|
|
|
|
|
|
|
die(){
|
|
|
|
echo "$@"
|
|
|
|
exit 1
|
|
|
|
}
|
|
|
|
|
|
|
|
# Name of firefox profile to use
|
|
|
|
# This will need to be a profile that isn't currently open
|
|
|
|
# I suggest making one for headless use
|
|
|
|
# go to about:profiles in firefox to create one
|
|
|
|
profile="test"
|
|
|
|
|
|
|
|
# Url of site to put in iframe
|
|
|
|
url="$1"
|
|
|
|
|
|
|
|
[ -z "$url" ] && die "You need to provide a url"
|
|
|
|
|
|
|
|
# Name of image to make
|
|
|
|
output="${2:-screenshot.png}"
|
|
|
|
|
|
|
|
$firefox -CreateProfile "$profile" -no-remote 2>&1 >/dev/null
|
|
|
|
|
|
|
|
source="
|
|
|
|
<!DOCTYPE html>
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta charset='UTF-8' />
|
|
|
|
<meta name='viewport' content='width=device-width' />
|
|
|
|
<title>Clickjacking example</title>
|
|
|
|
<style type='text/css' media='screen'>
|
|
|
|
body{
|
|
|
|
width: 100vw;
|
|
|
|
height: 100vh;
|
|
|
|
border: 2px solid black;
|
|
|
|
}
|
|
|
|
iframe{
|
|
|
|
border: 3px solid black;
|
|
|
|
width: 80%;
|
|
|
|
height: 80%;
|
|
|
|
margin: 20px auto;
|
|
|
|
display: block;
|
|
|
|
}
|
|
|
|
h1, p{
|
|
|
|
text-align: center;
|
|
|
|
}
|
|
|
|
</style>
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<h1>Clickjacking example</h1>
|
|
|
|
<iframe src='$url'>
|
|
|
|
</iframe>
|
|
|
|
<p>If content is rendered above, the site is vulnerable to clickjacking</p>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|
|
"
|
|
|
|
|
|
|
|
|
|
|
|
$firefox -P "$profile" --screenshot "$output" "data:text/html;base64,$(echo "$source" | base64 -w 0)"
|