You have a website and you\u2019ve proven it\u2019s vulnerable to clickjacking, but what use is fooling a user into submitting a form unless you can specify some of the data that the user is submitting within those fields?<\/p>\n
We\u2019ve all played games online where you have to match up words to phrases or maybe things like the \u201cimpossible game\u201d where you drag the words to the respective colours.<\/p>\n
What about turning a harmless game such as the above into a form submission machine of awesome. Well now with HTML5 \u2013 you can!<\/p>\n
It\u2019s all thanks to the drag-and-drop method and in particular the ondragstart method.<\/p>\n
1 <\/div><\/td> draggable=\u201dtrue\u201d ondragstart=\u201devent.dataTransfer.setData(\u2018text\/plain\u2019, \u2018Rick Astley\u2019)\u201d<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n Use that on anything you want to make draggable \u2013 in my testing I opted for a simple div containing a string, and ask the players to drag and drop the string onto the correct corresponding sentence.<\/p>\n When they click the \u201canswer\u201d button, it submits the jacked site.<\/p>\n So.. users drag the word CSS across to Cascading Style Sheets \u2013 enters \u201cRick Astley\u201d into the search field of videos.yahoo.com then users click the \u201canswer\u201d button \u2013 submits the video search<\/p>\n Now ideally if google didn\u2019t have x- headers set that forbid the use of google in an iframe I\u2019d have gone and \u201ci\u2019m feeling lucky\u201dd it but sadly no autoplaying rick astley for me.<\/p>\n Still the premise is proven.<\/p>\n Edit:<\/strong> |