How to make thousands of real people like your Facebook page without them even learned

In this blog post I instrument pretending you how to use a model titled 'clickjacking' to increase thousands of proper Facebook likes, Cheep Followers, Google +1's, you label it. You could potentially use this politician to get every azygos traveler of your website to like your Facebook diplomat without them later learned.



But author importantly, I give also conduct you how you can foreclose this from happening to your website. Be prompt for many discipline terms. In tell to be fit to canvass this tutorial, you should at the real smallest hold both standard knowledge of HTML.

And gratify, before you scan any boost, be trustworthy to interpret and understand the warning beneath!

Warning: Clickjacking is an utmost blackhat practice. At how-to-blackhat we change never victimized, nor testament we every use, any blackhat hacks or remaining specified methods to advantage danger. We recommend you do neither! The substance provided in this article is to be victimized for educational purposes exclusively And to ameliorate protect yourself against such hacks. We are not answerable for any utilization of the assemblage provided.

What the heck is clickjacking anyways?

Clickjacking, also illustrious as a "UI remediation attack", is when an aggressor uses ordinary straight or murky layers of magic a human into clicking on a button or link up on adding industrialist when they were intending to emit on the top level diplomatist. Thus, the attacker is "hijacking" clicks meant for their author and routing them to another tender, most promising owned by another coating, arena, or both.

For model, edit a programmer who builds a web situation that has a fix on it that says "penetrate here to go to Google". However, on top of that web tender, the assailant has full an iframe with a Peep Persist switch, and lined up just the "Follow" button straight on top of the "slack here to go to Google" add. The person tries to penetrate on the join to Google, but instead actually clicked on the imperceptible Twitter Take button. The dupe now starts to study the assault on Twirp without modifying informed it. In gist, the aggressor has "hijacked" the user's clack, thus the obloquy "Clickjacking".

Stake in 2009, clickjacking prefab the tidings in the influence of a Twitter worm. This clickjacking knock certain users to click on a secure which caused them to re-tweet a tie to the vixenish writer, causing it to go viral.

Clickjacking was initially disclosed by Robert Hansen and Jeremiah Grossman.

Dig in

In this demonstration, we are achieved to steal Facebook likes without the mortal wise it.

In order to do this, we will be using a kind new means titled Quickjack (a magnificent but filthy puppet by Samy Kamkar)
To automatically create the right that allows the somebody to sound anywhere on the writer in impose to get clickjacked.
But before we can do any of that, we module was banged to make an equivalent switch.

Step 1: Creating a Facebook like button

You can word over to this Facebook page which allows you to easily generate a suchlike fasten.
Modify reliable to invalid the "Pretense Friends' Faces" alternative, and don't permit the part secure.
Then flick on the 'Get code' secure.

Step 2: Set-up a tender for the Equivalent fasten

Now that we human the encipher for the similar secure, we present requisite a writer to demonstrate it on.
Reduplicate and condiment the right, you retributive generated on Facebook into an empty HTML file,
and get sure you upload it to your web computer.

Step 3: Make the clickjacking script

This is where the fun begins. Pedagogue over to the Quickjack puppet I told you active earlier,
And start the fastening to your like fasten attendant in the signature field. Then clink on the 'Go' button succeeding to the sign:

Quickjack faculty weights your same score into it's diplomatist, but because the suchlike security is so little, i
T give them down the input and buttons from Quickjack it.
Use the inhalation puppet (person mark painting on the top mitt) to lag Quickjack's controls below your suchlike button.

Succeeding, we person to instruct Quickjack where we need to oblige the mortal to dawn.
We want our victims to penetrate on the suchlike fasten, so go upbound and click on it.
 A red crosshairs testament materials to inform where you've set your click-target.
You can now penetrate on the "I'm done!" fix to create the cipher for the clickjack script.

Step 4: Let the clickjacking Solon!

You can now simply simulate the cypher that Quickjack has generated for you, and attach it to any (high-traffic) website you own.
When a visitant clicks anywhere on that website, he or she gives actually be pressing the similar fix you've retributory created.

Defending against Clickjacking

There are two principal slipways to forestall clickjacking:

1. Sending the prissy X-Frame-Options HTTP salutation headers that instruct the browser to not consent framing from opposite domains  
2. Employing antiaircraft code in the UI to ensure that the following system is the most top tier bane

I don't deprivation to make this article too specialized, so for many aggregation on Clickjacking demurrer,
Delight cognition over to the Clickjacking Defense Cheat Sheet.