Full Report
No, this post is not about a Leon Schuster comedic skit from the early 90’s, YouTube reference here -> https://www.youtube.com/watch?v=JzoUBvdEk1k To the point, once upon a time there was a tool called Jack which attempted to make ClickJacking PoC’ing a tad sexier and made it’s way to Black Hat EU 2015 Arsenal. Some time has passed now since Jack was first released and was time for Jack to get some attention alas a new version of Jack has been released and can be found here, https://github.com/sensepost/jack .
Analysis Summary
# Tool/Technique: Jack (Updated Version)
## Overview
Jack is a tool designed to simplify the creation of Proof-of-Concept (PoC) demonstrations for ClickJacking vulnerabilities. A new version has been released, featuring a significant user interface overhaul to make PoC generation easier via a drag-and-drop interface.
## Technical Details
- Type: Tool
- Platform: Web (Operated via a browser by opening `index.html`)
- Capabilities: Generating ClickJacking PoCs, Drag and Drop interface, custom JavaScript payload support, saving generated PoC pages for local serving.
- First Seen: Initial version presented at Black Hat EU 2015, new version released sometime after the initial 2014 release mentioned in the linked article.
## MITRE ATT&CK Mapping
The analysis focuses on the creation of PoCs for a client-side exploitation technique.
- **TA0001 - Initial Access**
- **T1189 - Drive-by Compromise N/A**: While Jack itself is a PoC tool, the resulting setup leverages social engineering and client-side manipulation that mimics this access phase by tricking a user into clicking.
- **TA0002 - Execution**
- **T1204.002 - User Execution: Malicious File N/A**: The PoC relies on the user unknowingly executing actions (clicks) on a malicious, overlaid interface.
- **TA0011 - Command and Control N/A**: Not directly applicable as Jack is a local PoC generator, but the resulting attack setup might involve redirecting user input or credentials.
## Functionality
### Core Capabilities
- **Drag and Drop UI**: The new version features a complete Drag and Drop interface in a single window, simplifying the assembly of PoC pages.
- **PoC Generation**: Builds web pages designed to trick users into performing unintended actions (ClickJacking).
- **Interface Customization**: Allows for the application of custom styling to the generated PoC elements.
- **Target Loading**: Can load reference targets, such as Google Gruyere, to demonstrate overlay capabilities.
- **PoC Saving**: Ability to save the generated HTML/PoC page content so it can be served externally (e.g., via Apache on a malicious domain).
### Advanced Features
- **Custom JavaScript Payload**: Users can provide custom JavaScript code that will be executed specifically when the target's (now overlaid) login button is clicked.
- **Element Manipulation**: All "viewable" elements of a target page can be made drag-and-droppable within the Jack interface for precise positioning.
## Indicators of Compromise
Since Jack is a PoC generation tool and not malware, traditional IOCs are not applicable unless the generated PoC is deployed.
- File Hashes: N/A (Source code repository is the delivery mechanism)
- File Names: `index.html`, `oldIndex.html` (within the downloaded repository)
- Registry Keys: N/A
- Network Indicators: N/A (The tool itself does not communicate externally for exploitation; C2 would be related to a deployed, malicious version of the resulting PoC)
- Behavioral Indicators: Creating HTML content designed to overlap legitimate UI elements in a browser context.
## Associated Threat Actors
N/A - Jack is a widely available community tool released by SensePost, generally used by penetration testers or security researchers for demonstration purposes. It has no direct association with known adversarial threat groups mentioned in the article.
## Detection Methods
Detection focuses on identifying the use or deployment of ClickJacking techniques:
- Signature-based detection: Detecting known HTML structures associated with transparent overlays or frame-breaking attempts.
- Behavioral detection: Monitoring for unusual iframe manipulations or iframes with zero opacity/size leading to unexpected user actions.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures for ClickJacking:
- Implementing X-Frame-Options header (DENY or SAMEORIGIN).
- Implementing Content Security Policy (CSP) frame-ancestors directive.
- Hardening recommendations:
- Training users to be cautious about clicking elements on unfamiliar or suspicious web pages, especially when interacting with login prompts or confirmation buttons.
## Related Tools/Techniques
- ClickJacking (General Attacking Technique)
- Tools that simplify vulnerability PoC creation.