Skip to content

DOM-based Extension Clickjacking #1463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

DOM-based Extension Clickjacking #1463

wants to merge 1 commit into from

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Problem
The post (DEF CON 33, Aug 9, 2025) introduces DOM-based Extension Clickjacking: coercing a user to click hidden, extension-injected autofill UI so sensitive data is filled into attacker-controlled forms. Unlike classic iframe-based extension clickjacking (via overly exposed web_accessible_resources), the DOM-based variant hides or occludes extension UI already injected into the page.

How autofill UIs work (target surface)
Password managers inje...

🔧 Technical Details

DOM-based extension clickjacking (manual autofill): Focus an attacker-controlled input to trigger the manager’s dropdown, then hide/occlude the extension UI (set opacity on its root/child, lower BODY/HTML opacity with a screenshot background, or cover it with a Popover-based overlay using pointer-events:none). Align the hidden dropdown under a believable control so the victim’s click selects an item; read the filled values from your form and exfiltrate them.

IFRAME-based extension clickjacking: If an extension exposes HTML UIs via web_accessible_resources, load them in a transparent iframe (e.g., <iframe src="chrome-extension://ID/file.html" style="opacity:0">) and drive user clicks to perform privileged actions. Mitigate by scoping matches (MV3) and adding frame-ancestors/X-Frame-Options to any unavoidable HTML resources.

Autofill domain-expansion abuse: Many manager...

🤖 Agent Actions

I analyzed the repository and found the most relevant existing locations for this topic:

  • src/pentesting-web/clickjacking.md — general clickjacking/UI redressing techniques
  • src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md — browser extension clickjacking (previously focused on IFRAME-based via web_accessible_resources)
  • Also reviewed: browser-extension-pentesting-methodology/README.md, browext-xss-example.md, network-services-pentesting/pentesting-web/special-http-headers.md, and web-vulnerabilities-methodology.md to ensure structure and linking.

What I updated

  1. Extended the Browser Extension Clickjacking page with DOM-based autofill clickjacking content
  • File modified: src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md
  • Added a new comprehensive section: “DOM-based Extension Clickjacking (Password Manager Autofill UIs)”
    • Threat model and step-by-step attack flow for manual autofill coercion
    • Techniques for hiding/occluding extension-injected UIs:
      • Extension element opacity manipulation (including shadow DOM child iframe hiding)
      • Parent element (BODY/HTML) opacity tricks with screenshot backgrounds
      • Overlays using pointer-events:none and the Popover API/Top Layer
    • Positioning strategies (fixed placement under believable controls, follow-mouse refocus trick)
    • Universal detection/state awareness of managers to choose the right hiding method
    • Impact scenarios (PII/credit card exfil on attacker-controlled sites; multi-click credential/TOTP theft on related subdomains; note on passkeys and session-bound challenges)
    • Limitations (user click and alignment requirements; auto-lock windows)
    • Extension developer mitigations:
      • Top Layer rendering, Closed Shadow DOM, MutationObserver for style tampering, elementsFromPoint() overlay detection, disable pointer-events and close on occlusion
      • MV3 scoping and frame-ancestors/X-Frame-Options for IFRAME-based exposures
    • User recommendations (disable manual autofill, on-click site access, exact-URL matching)
    • Notes on real-world cases
  • Added the blog to References:
    • DOM-based Extension Clickjacking (marektoth.com)
  1. Added a bridge section in the main Clickjacking page to reference DOM-based autofill clickjacking
  • File modified: src/pentesting-web/clickjacking.md
  • Added “Browser extensions: DOM-based autofill clickjacking”
    • Short overview of this variant and how it uses DOM/CSS manipulation to hide extension autofill UIs and coerce clicks
    • Internal link to the detailed browser extension page:
      • {{#ref}}browser-extension-pentesting-methodology/browext-clickjacking.md{{#endref}}
  • Updated References to include the DOM-based Extension Clickjacking blog

Why this placement

  • The existing browser extension clickjacking page covered only IFRAME-based (web_accessible_resources) attacks. The new DOM-based technique specifically targets extension-injected autofill UIs, so the extension-specific page is the best primary home.
  • The main clickjacking page is commonly consulted for UI redressing techniques, so I added a concise section that points readers to the extension-specific details.

Research and style

  • Followed HackTricks style: clear subsections, code blocks, concise technical language, and a single References section per updated file with the blog link.
  • Preserved existing content and structure while adding new techniques and mitigations relevant to DOM-based extension clickjacking.

No new files were necessary.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

  • MD files processed: 896
  • MD files fixed: 2

All .md files have been checked for proper formatting (headers, includes, etc.).

@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://marektoth.com/blog/dom-based-extension-clickjacking/#browser-extension-clickjacking

Content Categories: Based on the analysis, this content was categorized under "Web Attacks -> Clickjacking / UI Redressing -> DOM-based Extension Clickjacking (Password Manager Autofill UIs)".

Repository Maintenance:

  • MD Files Formatting: 896 files processed (2 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carlospolop