This technically light talk+demo will show you how and what are User Interface Redressing Attacks.
Web Applications using HTML5 + JavaScript + CSS + Modern Browsers are vulnerable to attacks such as Clickjacking, Strokejacking, Cursor Tracking, Unxploitable XSS and Facebook Like attacks.
TL;DR Cool demo and simple to understand explaination of ClickJacking
1. I haz your mouse
clicks & key strokes
Akash Mahajan @ MetaRefresh 2012
2. click · jack · ing |klɪk ˈdʒækɪŋ|
verb
1. User Interface redress attack, UI redress
attack, UI Redressing
2. is when an attacker uses transparent or opaque
layers to trick a user into clicking on a button or
link on another page when they were intending to
click on the top level page. Thus, the attacker is
hijacking clicks and/or keystrokes
13. Frame Bursting / Frame Killers
i f ( t o p . l o c a t i o n != l o c a t i o n )
top.location=self.location;
14. Best JavaScript code for Frame Bursting
<s t y l e >html f v i s i b i l i t y : h i d d e n g</ s t y l e >
<s c r i p t >
i f ( s e l f == t o p ) f
document . documentElement . s t y l e . v i s i b i l i t y =
’visible’;
gelsef
top.location=self.location;
g
</ s c r i p t >
15. X-Frame-Options
• Used to prevent Clickjacking
• Doesn’t allow page to be
rendered in a frame
• DENY : Don’t render at all if
inside a frame, SAMEORIGIN :
Only if being served from the
origin
• IE8+, FF4+, Chrome5+
16. Akash Mahajan
That Web Application Security Guy
http://akashm.com | @makash
akashmahajan@gmail.com | 9980527182
17. References
• Keyboard Cat CC NC SA
http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/
• I haz your mouse clicks and key strokes http://cheezburger.com/6135914240
• Just One question http://www.quickmeme.com/meme/3ow548/
• Slides 6 and 7 from
https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for-
shells_PDF-version.pdf
• http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf
• (NoScript image source: Andrew Mason's Flickr photostream).
• http://erickerr.com/like-clickjacking
• http://arnab.org/blog/reputation-misrepresentation
• http://erickerr.com/misc/like-clickjacking.js
• http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/
• http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html
Hinweis der Redaktion
OWASP DefinitionClickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attackerWikiPediaClickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Webuser into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.[1][2][3][4] It is a browser security issue that is a vulnerability across a variety of browsers and platforms, a clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.[5] The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.[citation needed]Clickjacking can be understood as an instance of the confused deputy problem.[6]
Talk about CSS Z OrderHow cursor, keystrokes can be followed