SlideShare ist ein Scribd-Unternehmen logo

I haz your mouse clicks and key strokes

Als PPTX, PDF herunterladen
Akash Mahajan
Akash Mahajan

This technically light talk+demo will show you how and what are User Interface Redressing Attacks. Web Applications using HTML5 + JavaScript + CSS + Modern Browsers are vulnerable to attacks such as Clickjacking, Strokejacking, Cursor Tracking, Unxploitable XSS and Facebook Like attacks. TL;DR Cool demo and simple to understand explaination of ClickJacking

TechnologieBusiness
1 von 17
I haz your mouse clicks & key strokes Akash Mahajan @ MetaRefresh 2012
click · jack · ing |klɪk ˈdʒækɪŋ| verb 1. User Interface redress attack, UI redress attack, UI Redressing 2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
How to like anything on Facebook/Internet
Flash Settings Player : Because SWF files can be iframed!
Twitter Don’t Click Attack
FAKE REAL REAL FAKE
Mitigations • Frame Bursting –Why it fails • X Frames Header
Frame Bursting / Frame Killers i f ( t o p . l o c a t i o n != l o c a t i o n ) top.location=self.location;
Best JavaScript code for Frame Bursting <s t y l e >html f v i s i b i l i t y : h i d d e n g</ s t y l e > <s c r i p t > i f ( s e l f == t o p ) f document . documentElement . s t y l e . v i s i b i l i t y = ’visible’; gelsef top.location=self.location; g </ s c r i p t >
X-Frame-Options • Used to prevent Clickjacking • Doesn’t allow page to be rendered in a frame • DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin • IE8+, FF4+, Chrome5+
Akash Mahajan That Web Application Security Guy http://akashm.com | @makash akashmahajan@gmail.com | 9980527182
References • Keyboard Cat CC NC SA http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/ • I haz your mouse clicks and key strokes http://cheezburger.com/6135914240 • Just One question http://www.quickmeme.com/meme/3ow548/ • Slides 6 and 7 from https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for- shells_PDF-version.pdf • http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf • (NoScript image source: Andrew Mason's Flickr photostream). • http://erickerr.com/like-clickjacking • http://arnab.org/blog/reputation-misrepresentation • http://erickerr.com/misc/like-clickjacking.js • http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/ • http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html

Empfohlen

Meryliza muabbad how_to_use-jing
Meryliza muabbad how_to_use-jingMeryliza muabbad how_to_use-jing
Meryliza muabbad how_to_use-jing
Meryliza Muabbad
 
Co hs sub instructions
Co hs sub instructionsCo hs sub instructions
Co hs sub instructions
stevens009
 
Selfhelp Online class Google Hangouts Capture App (blue camera)
Selfhelp Online class Google Hangouts Capture App (blue camera)Selfhelp Online class Google Hangouts Capture App (blue camera)
Selfhelp Online class Google Hangouts Capture App (blue camera)
SnowSugar Video
 
Ernesto samonte how to use spybot-s&d
Ernesto samonte how to use spybot-s&dErnesto samonte how to use spybot-s&d
Ernesto samonte how to use spybot-s&d
Ernesto Samonte
 
Topic 12 internet security
Topic 12 internet securityTopic 12 internet security
Topic 12 internet security
NFifa
 
An analysis of a facebook spam exploited through browser addons
An analysis of a facebook spam exploited through browser addonsAn analysis of a facebook spam exploited through browser addons
An analysis of a facebook spam exploited through browser addons
Prajwal Panchmahalkar
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
Akash Mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
Akash Mahajan
 

Empfohlen

Meryliza muabbad how_to_use-jing
Meryliza muabbad how_to_use-jingMeryliza muabbad how_to_use-jing
Meryliza muabbad how_to_use-jing
Meryliza Muabbad
 
Co hs sub instructions
Co hs sub instructionsCo hs sub instructions
Co hs sub instructions
stevens009
 
Selfhelp Online class Google Hangouts Capture App (blue camera)
Selfhelp Online class Google Hangouts Capture App (blue camera)Selfhelp Online class Google Hangouts Capture App (blue camera)
Selfhelp Online class Google Hangouts Capture App (blue camera)
SnowSugar Video
 
Ernesto samonte how to use spybot-s&d
Ernesto samonte how to use spybot-s&dErnesto samonte how to use spybot-s&d
Ernesto samonte how to use spybot-s&d
Ernesto Samonte
 
Topic 12 internet security
Topic 12 internet securityTopic 12 internet security
Topic 12 internet security
NFifa
 
An analysis of a facebook spam exploited through browser addons
An analysis of a facebook spam exploited through browser addonsAn analysis of a facebook spam exploited through browser addons
An analysis of a facebook spam exploited through browser addons
Prajwal Panchmahalkar
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
Akash Mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
Akash Mahajan
 
Algae Renewable Energy Carbon Credit First Timer
Algae Renewable Energy Carbon Credit First TimerAlgae Renewable Energy Carbon Credit First Timer
Algae Renewable Energy Carbon Credit First Timer
70CentsaGallon
 
Tibet blog.agirregabiria.net Mikel Agirregabiria
Tibet blog.agirregabiria.net Mikel AgirregabiriaTibet blog.agirregabiria.net Mikel Agirregabiria
Tibet blog.agirregabiria.net Mikel Agirregabiria
Mikel Agirregabiria
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
Akash Mahajan
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
Akash Mahajan
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
20 Hailu Tefera Objective7 Soybean
20 Hailu Tefera Objective7 Soybean20 Hailu Tefera Objective7 Soybean
20 Hailu Tefera Objective7 Soybean
World Agroforestry (ICRAF)
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
My 'Technopreneurship' presentation @ SCIT Pune!!!
My 'Technopreneurship' presentation @ SCIT Pune!!!My 'Technopreneurship' presentation @ SCIT Pune!!!
My 'Technopreneurship' presentation @ SCIT Pune!!!
Akshay Shah
 
Php security
Php securityPhp security
Php security
Akash Mahajan
 
inhertance c++
inhertance c++inhertance c++
inhertance c++
abhilashagupta
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
UI Redressing
UI RedressingUI Redressing
UI Redressing
n|u - The Open Security Community
 
Clickjacking
ClickjackingClickjacking
Clickjacking
Rishi Kant
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
 

Weitere ähnliche Inhalte

Andere mochten auch

Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 

Andere mochten auch (17)

Algae Renewable Energy Carbon Credit First Timer
Algae Renewable Energy Carbon Credit First TimerAlgae Renewable Energy Carbon Credit First Timer
Algae Renewable Energy Carbon Credit First Timer
 
Tibet blog.agirregabiria.net Mikel Agirregabiria
Tibet blog.agirregabiria.net Mikel AgirregabiriaTibet blog.agirregabiria.net Mikel Agirregabiria
Tibet blog.agirregabiria.net Mikel Agirregabiria
 
Web application security
Web application securityWeb application security
Web application security
 
Web application security
Web application securityWeb application security
Web application security
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
20 Hailu Tefera Objective7 Soybean
20 Hailu Tefera Objective7 Soybean20 Hailu Tefera Objective7 Soybean
20 Hailu Tefera Objective7 Soybean
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
 
Web application security
Web application securityWeb application security
Web application security
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
My 'Technopreneurship' presentation @ SCIT Pune!!!
My 'Technopreneurship' presentation @ SCIT Pune!!!My 'Technopreneurship' presentation @ SCIT Pune!!!
My 'Technopreneurship' presentation @ SCIT Pune!!!
 
Php security
Php securityPhp security
Php security
 
inhertance c++
inhertance c++inhertance c++
inhertance c++
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 

Ähnlich wie I haz your mouse clicks and key strokes

Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
 
javascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-phpjavascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-php
Apoorvi Kapoor
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
Jeremiah Grossman
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!
SecuRing
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Itc2009 Click Jacking
Itc2009 Click JackingItc2009 Click Jacking
Itc2009 Click Jacking
JayMNEA
 

Ähnlich wie I haz your mouse clicks and key strokes (20)

UI Redressing
UI RedressingUI Redressing
UI Redressing
 
Clickjacking
ClickjackingClickjacking
Clickjacking
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
javascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-phpjavascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-php
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
HalfStack fast but not furious
HalfStack fast but not furiousHalfStack fast but not furious
HalfStack fast but not furious
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!
 
Rich Internet Applications (RIA) Web Testing
Rich Internet Applications (RIA) Web TestingRich Internet Applications (RIA) Web Testing
Rich Internet Applications (RIA) Web Testing
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 
Click jacking
Click jackingClick jacking
Click jacking
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moon
 
Unity3D Basic Concepts by: shamal aryan
Unity3D Basic Concepts by: shamal aryan Unity3D Basic Concepts by: shamal aryan
Unity3D Basic Concepts by: shamal aryan
 
JavaScript and DOM Pattern Implementation
JavaScript and DOM Pattern ImplementationJavaScript and DOM Pattern Implementation
JavaScript and DOM Pattern Implementation
 
Itc2009 Click Jacking
Itc2009 Click JackingItc2009 Click Jacking
Itc2009 Click Jacking
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Kürzlich hochgeladen (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 

I haz your mouse clicks and key strokes

  • 1. I haz your mouse clicks & key strokes Akash Mahajan @ MetaRefresh 2012
  • 2. click · jack · ing |klɪk ˈdʒækɪŋ| verb 1. User Interface redress attack, UI redress attack, UI Redressing 2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. How to like anything on Facebook/Internet
  • 9. Flash Settings Player : Because SWF files can be iframed!
  • 11. FAKE REAL REAL FAKE
  • 12. Mitigations • Frame Bursting –Why it fails • X Frames Header
  • 13. Frame Bursting / Frame Killers i f ( t o p . l o c a t i o n != l o c a t i o n ) top.location=self.location;
  • 14. Best JavaScript code for Frame Bursting <s t y l e >html f v i s i b i l i t y : h i d d e n g</ s t y l e > <s c r i p t > i f ( s e l f == t o p ) f document . documentElement . s t y l e . v i s i b i l i t y = ’visible’; gelsef top.location=self.location; g </ s c r i p t >
  • 15. X-Frame-Options • Used to prevent Clickjacking • Doesn’t allow page to be rendered in a frame • DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin • IE8+, FF4+, Chrome5+
  • 16. Akash Mahajan That Web Application Security Guy http://akashm.com | @makash akashmahajan@gmail.com | 9980527182
  • 17. References • Keyboard Cat CC NC SA http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/ • I haz your mouse clicks and key strokes http://cheezburger.com/6135914240 • Just One question http://www.quickmeme.com/meme/3ow548/ • Slides 6 and 7 from https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for- shells_PDF-version.pdf • http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf • (NoScript image source: Andrew Mason's Flickr photostream). • http://erickerr.com/like-clickjacking • http://arnab.org/blog/reputation-misrepresentation • http://erickerr.com/misc/like-clickjacking.js • http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/ • http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html

Hinweis der Redaktion

  1. OWASP DefinitionClickjacking, also known as a &quot;UI redress attack&quot;, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is &quot;hijacking&quot; clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attackerWikiPediaClickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Webuser into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.[1][2][3][4] It is a browser security issue that is a vulnerability across a variety of browsers and platforms, a clickjack takes the form of embedded code or a script that can execute without the user&apos;s knowledge, such as clicking on a button that appears to perform another function.[5] The term &quot;clickjacking&quot; was coined by Jeremiah Grossman and Robert Hansen in 2008.[citation needed]Clickjacking can be understood as an instance of the confused deputy problem.[6]
  2. Talk about CSS Z OrderHow cursor, keystrokes can be followed