SlideShare a Scribd company logo

Click jacking

Faysal Hossain Shezan
Faysal Hossain Shezan

This slide presents information about ClickJacking and existing defense mechanism.

Technology
1 of 40
Download to read offline
CLICKJACKING : A WEB PAGE STEALS YOUR SOCIAL INTERACTIONS Faysal Hossain Shezan CSE,BUET
REFERENCE CLICKJACKING : A WEB PAGE CAN HEAR and SEE YOU  Article  Publishing Year 2014/15 Clickjacking: Attacks and Defenses  Presented as part of the 21st USENIX Security Symposium (USENIX Security 12)  Publishing Year 2012
OVERVIEW Root cause of clickjacking is identified New variants of ClickJacking attack Drawbacks of existing defense Proposing a new defense mechanism A survey on Amazon Mechanical Turk with 2064 participants
WHAT IS CLICKJACKING? •User click is hijacked in order to perform some action of hacker's interest •Known as "UI redress attack“ •Attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page
CLICK EVENT • Pressing a button • Moving your mouse over a link • Submitting a form
IFRAME A webpage can contain another webpage in it. Example : Google map
OPACITY HTML elements can be solid, partially transparent or even invisible.
STACKING ORDER A webpage can contain another webpage in it. Example : Google map
HOW DOES IT OCCUR? •The target page is constructed to lure the victim to click on an object. •The click action is made to land on some other object and hence used to perform an action that the victim did not intended. This is the root cause.
HOW DOES IT OCCUR? Frame busting to thwart Cross Frame Scripting attack code snippet: <script type="text/JavaScript"> if(top != self) top.location.replace(location); </script> Page could be framed. Parent frame control the entire display shown to the user which tricks user to click hidden child frame
THREAT TO USER •Tricking users into enabling their webcam and microphone through Flash •Tricking users into making their social networking profile information public Downloading and running a malware (malicious software) allowing to a remote attacker to take control of others computers Making users follow someone on Twitter •Sharing or liking links on Facebook •Getting likes on Facebook fan page or +1 on Google Plus •Clicking Google AdSense ads to generate pay per click revenue •Playing YouTube videos to gain views •Following someone on Facebook
SCENARIO
STEPS TAKEN SO FAR… X-Frame-Options gave three options: X-Frame- Options: DENY X-Frame- Options: SAMEORIGIN X-Frame- Options: ALLOW-FROM www.xyz.com Drawback of XFO SAMEORIGIIN
CLASSIFICATION Compromising target display integrity  Hiding the target element  Likejacking  Tweet bomb  Partial overlays Compromising pointer integrity  Cursorjacking  Stroke jacking Compromising temporal integrity  Bait and switch
COMPROMISING TARGET DISPLAY INTEGRITY Attacker creates an illusion for the victim Irritating for legitimate object over a target object Victim gets confused and clicks on the object Actual click lands media site to gain specific information on the target
COMPROMISING TARGET DISPLAY INTEGRITY Exploit process for Facebook
COMPROMISING TARGET DISPLAY INTEGRITY LikeJacking • Attacker presents a web frame that contains two iframe stacked over one another • Lower frame designed with a Facebook “Like” button • Upper frame shows some attractive content
COMPROMISING TARGET DISPLAY INTEGRITY Tweet Bomb • Mulltiple dummy accounts • Sending large number of tweets in a short interval • Become the trending topic in tweeter
COMPROMISING POINTER INTEGRITY •Attacker displays blinking cursor in a text field •Victim clicks in the text field and his click is hijacked • Attacker displays a fake cursor icon • Victim gets confused and then misinterprets the cursor
COMPROMISING POINTER INTEGRITY Cursorjacking • Attacker display a false cursor which is away from the actual one • Wrong perception of the actual position of the cursor • Custom mouse cursor icon which is shifted a few pixels away from the actual spot http://koto.github.io/blog-kotowicz-net- examples/cursorjacking/
COMPROMISING POINTER INTEGRITY Strokejacking •Blinking cursor which asks for a keyboard input •Attacker switch keyboard focus to the target element •Blinking cursor confuses victims into thinking that they are typing text into the attacker’s input field, whereas they are actually interacting with the target element.
COMPROMISING TEMPORAL INTEGRITY Bait and switch • Mouse comes near “claim your free iPad” button, like moves to its location before the user realizes it.
COMPROMISING TEMPORAL INTEGRITY •Attacker captures the mouse hovering event •When the click is just about to launch , attacker swaps the position of the target element and the decoy element •To increase the probability of success attacker may ask the victim to click multiple times or double click
CLICKJACKING THROUGH ONLINE GAMING • Dummy web page that contains an online game • Attacker places the play button below the transparent facebook Like button
NEW ATTACK VARIANTS •Attack Technique: Cursor spoofing •Attack Success: 43% •Fake cursor is displayed to the user •Loud video or audio automatically plays
NEW ATTACK VARIANTS •Attack Technique: Popup Window •Attack Success: 47% •Attacker lure the victim to perform double click •After first click Google OAauth pops up and attacker steals the private data
NEW ATTACK VARIANTS •Attack Technique: Cursor Spoofing + Fast-paced Clicking •Attack Success: 98% •Known as Whack a mole attack •User needs to click on an object to get the reward •Suddenly Object is replaced by facebook Like button
PRESENT SOLUTION •CLEARCLICK •PROCLICK •CLICKSAFE •NO SCRIPT ADDON
EXISTING DEFENSE Frame Killer User Confirmation UI Randomization Opaque Overlay Policy Frame Busting Visibility detection on click •Clear Click •Click IDS UI Delays
INCONTEXT DEFENSE Goal: •Does not require user prompts •Provides point integrity protection •Supports target elements that require arbitrary third-party embedding •Does not break existing sites
INCONTEXT DEFENSE Ensuring Visual Integrity •Find the Sensitive Element •compares the cropped screenshot with the reference bitmap •ClickJacking detects when mismatch found
INCONTEXT DEFENSE Ensuring visual integrity of pointer • Remove cursor customization - Attack success: 43% -> 16%
INCONTEXT DEFENSE Ensuring visual integrity of pointer • Freeze screen when sensitive elements found - Attack success : 4%
• Mute the speaker when sensitive elements interacts - Attack success: 43% - Attack success (Mute + Freeezing): 2% INCONTEXT DEFENSE Ensuring visual integrity of pointer
INCONTEXT DEFENSE Ensuring visual integrity of pointer • Lightbox effect around pop up dialog - Attack success: 43% - Attack success ( Lightbox + Freezing + Mute): 2% • No programmatic cross-origin keyboard focus changes
INCONTEXT DEFENSE Ensuring Temporal Integrity •UI delay after pointer entry •Point re-entry on a newly visible sensitive element • When a sensitive UI element first appears or is moved to a location where it will overlap with the current location of the pointer, user needs to re-entry •Padding area around sensitive element
EXPERIMENT RESULT Results of double-click attack
EXPERIMENT RESULT 1. Base control 68 26 35 3 4 (5%) 2. Persuasion control 73 65 0 2 6 (8%) 3. Attack 72 38 0 3 31 (43%) 4. No cursor styles 72 34 23 3 12 (16%) 5a. Freezing (M=0px) 70 52 0 7 11 (15%) 5b. Freezing (M=10px) 72 60 0 3 9 (12%) 5c. Freezing (M=20px) 72 63 0 6 3 (4%) 6. Muting + 5c 70 66 0 2 2 (2%) 7. Lightbox + 5c 71 66 0 3 2 (2%) 8. Lightbox + 6 71 60 0 8 3 (4%) Treatment Group Total Timeout Skip Quit Attack Success Results of the cursor-spoofing attack
CONCLUSION •This paper introduce a new mechanism to prevent clickjacking •From the survey, the effectiveness of the InContext defense mechanishm is showed •New Variants of attacks are raising •Need to detect other techniques of clickjacking and find a way to thwart those
Thank You :D

Recommended

Student Management System Project Abstract
Student Management System Project AbstractStudent Management System Project Abstract
Student Management System Project AbstractUdhayyagethan Mano
 
Traning and placement management system
Traning and placement management systemTraning and placement management system
Traning and placement management systemriteshitechnosoft
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber CrimeRamesh Upadhaya
 
Student management system
Student management systemStudent management system
Student management systemAmit Gandhi
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crimeshubham ghimire
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityMd Nishad
 
Online examination documentation
Online examination documentationOnline examination documentation
Online examination documentationWakimul Alam
 
Student Management System best PPT
Student Management System best PPTStudent Management System best PPT
Student Management System best PPTDheeraj Kumar tiwari
 

Recommended

Student Management System Project Abstract
Student Management System Project AbstractStudent Management System Project Abstract
Student Management System Project AbstractUdhayyagethan Mano
 
Traning and placement management system
Traning and placement management systemTraning and placement management system
Traning and placement management systemriteshitechnosoft
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber CrimeRamesh Upadhaya
 
Student management system
Student management systemStudent management system
Student management systemAmit Gandhi
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crimeshubham ghimire
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityMd Nishad
 
Online examination documentation
Online examination documentationOnline examination documentation
Online examination documentationWakimul Alam
 
Student Management System best PPT
Student Management System best PPTStudent Management System best PPT
Student Management System best PPTDheeraj Kumar tiwari
 
Hms ppt
Hms pptHms ppt
Hms pptShabana Riyas
 
Cybercrime and security
Cybercrime and securityCybercrime and security
Cybercrime and securityShishupal Nagar
 
Online course portal for campus with query system
Online course portal for campus with query systemOnline course portal for campus with query system
Online course portal for campus with query systemganeshpaul6
 
Computer Worms
Computer WormsComputer Worms
Computer Wormssadique_ghitm
 
Student result mamagement
Student result mamagementStudent result mamagement
Student result mamagementMickey
 
Cyber Security Presentation
Cyber Security PresentationCyber Security Presentation
Cyber Security PresentationHaniyaMaha
 
Keyloggers.ppt
Keyloggers.pptKeyloggers.ppt
Keyloggers.pptChetanmalviya8
 
Project report college information management system on Advanced Java
Project report college information management system on Advanced JavaProject report college information management system on Advanced Java
Project report college information management system on Advanced JavaRishabh Kumar ☁️
 
Student Result
Student ResultStudent Result
Student ResultMd. Riadul Islam
 
Project report on online examination system
Project report on online examination systemProject report on online examination system
Project report on online examination systemMo Irshad Ansari
 
cyber security
cyber securitycyber security
cyber securityBasineniUdaykumar
 
Attendance Management Report 2016
Attendance Management Report 2016Attendance Management Report 2016
Attendance Management Report 2016Pooja Maan
 
Internet threats and defence mechanism
Internet threats and defence mechanismInternet threats and defence mechanism
Internet threats and defence mechanismCAS
 
Online Examinition System
Online Examinition SystemOnline Examinition System
Online Examinition SystemHarsh Jobanputra
 
Sequnce diagram for ONLINE EXAMINATION SYSTEM
Sequnce diagram for ONLINE EXAMINATION SYSTEMSequnce diagram for ONLINE EXAMINATION SYSTEM
Sequnce diagram for ONLINE EXAMINATION SYSTEMCOMSATS Institute of Information Technology
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on PhishingCreative Technology
 
student database management system
student database management systemstudent database management system
student database management systemMd. Riadul Islam
 
Computer worms viruses and Prevention
Computer worms viruses and PreventionComputer worms viruses and Prevention
Computer worms viruses and PreventionPratimesh Pathak
 
University Student Payment System ( USPS )
University Student Payment System ( USPS )University Student Payment System ( USPS )
University Student Payment System ( USPS )Md.Mojibul Hoque
 
Cybercrime and security
Cybercrime and securityCybercrime and security
Cybercrime and securitySheetal Kandhare
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
Clickjacking Attack
Clickjacking AttackClickjacking Attack
Clickjacking AttackTùng Hà Sơn
 

More Related Content

What's hot

Online course portal for campus with query system
Online course portal for campus with query systemOnline course portal for campus with query system
Online course portal for campus with query systemganeshpaul6
 
Student result mamagement
Student result mamagementStudent result mamagement
Student result mamagementMickey
 
Cyber Security Presentation
Cyber Security PresentationCyber Security Presentation
Cyber Security PresentationHaniyaMaha
 
Project report college information management system on Advanced Java
Project report college information management system on Advanced JavaProject report college information management system on Advanced Java
Project report college information management system on Advanced JavaRishabh Kumar ☁️
 
Project report on online examination system
Project report on online examination systemProject report on online examination system
Project report on online examination systemMo Irshad Ansari
 
Attendance Management Report 2016
Attendance Management Report 2016Attendance Management Report 2016
Attendance Management Report 2016Pooja Maan
 
Internet threats and defence mechanism
Internet threats and defence mechanismInternet threats and defence mechanism
Internet threats and defence mechanismCAS
 
student database management system
student database management systemstudent database management system
student database management systemMd. Riadul Islam
 
Computer worms viruses and Prevention
Computer worms viruses and PreventionComputer worms viruses and Prevention
Computer worms viruses and PreventionPratimesh Pathak
 
University Student Payment System ( USPS )
University Student Payment System ( USPS )University Student Payment System ( USPS )
University Student Payment System ( USPS )Md.Mojibul Hoque
 

What's hot (20)

Hms ppt
Hms pptHms ppt
Hms ppt
 
Cybercrime and security
Cybercrime and securityCybercrime and security
Cybercrime and security
 
Online course portal for campus with query system
Online course portal for campus with query systemOnline course portal for campus with query system
Online course portal for campus with query system
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Student result mamagement
Student result mamagementStudent result mamagement
Student result mamagement
 
Cyber Security Presentation
Cyber Security PresentationCyber Security Presentation
Cyber Security Presentation
 
Keyloggers.ppt
Keyloggers.pptKeyloggers.ppt
Keyloggers.ppt
 
Project report college information management system on Advanced Java
Project report college information management system on Advanced JavaProject report college information management system on Advanced Java
Project report college information management system on Advanced Java
 
Student Result
Student ResultStudent Result
Student Result
 
Project report on online examination system
Project report on online examination systemProject report on online examination system
Project report on online examination system
 
cyber security
cyber securitycyber security
cyber security
 
Attendance Management Report 2016
Attendance Management Report 2016Attendance Management Report 2016
Attendance Management Report 2016
 
Internet threats and defence mechanism
Internet threats and defence mechanismInternet threats and defence mechanism
Internet threats and defence mechanism
 
Online Examinition System
Online Examinition SystemOnline Examinition System
Online Examinition System
 
Sequnce diagram for ONLINE EXAMINATION SYSTEM
Sequnce diagram for ONLINE EXAMINATION SYSTEMSequnce diagram for ONLINE EXAMINATION SYSTEM
Sequnce diagram for ONLINE EXAMINATION SYSTEM
 
A presentation on Phishing
A presentation on PhishingA presentation on Phishing
A presentation on Phishing
 
student database management system
student database management systemstudent database management system
student database management system
 
Computer worms viruses and Prevention
Computer worms viruses and PreventionComputer worms viruses and Prevention
Computer worms viruses and Prevention
 
University Student Payment System ( USPS )
University Student Payment System ( USPS )University Student Payment System ( USPS )
University Student Payment System ( USPS )
 
Cybercrime and security
Cybercrime and securityCybercrime and security
Cybercrime and security
 

Viewers also liked

New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...
Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...
Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...DefconRussia
 
Sagi kahalany the art of clickjacking
Sagi kahalany the art of clickjackingSagi kahalany the art of clickjacking
Sagi kahalany the art of clickjackingBarry Schwartz
 
Hadsec Redhat Administrator Centos Base
Hadsec Redhat Administrator Centos BaseHadsec Redhat Administrator Centos Base
Hadsec Redhat Administrator Centos Basemuhammad pailus
 
Wispi: Mini Karma Router For Pentester - Rama Tri Nanda
Wispi: Mini Karma Router For Pentester - Rama Tri NandaWispi: Mini Karma Router For Pentester - Rama Tri Nanda
Wispi: Mini Karma Router For Pentester - Rama Tri Nandaidsecconf
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Marco Balduzzi
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...Marco Balduzzi
 

Viewers also liked (20)

New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
Clickjacking Attack
Clickjacking AttackClickjacking Attack
Clickjacking Attack
 
Click jacking
Click jackingClick jacking
Click jacking
 
Click Jacking
Click JackingClick Jacking
Click Jacking
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...
Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...
Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data t...
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
 
Sagi kahalany the art of clickjacking
Sagi kahalany the art of clickjackingSagi kahalany the art of clickjacking
Sagi kahalany the art of clickjacking
 
01.introduction
01.introduction01.introduction
01.introduction
 
Hadsec Redhat Administrator Centos Base
Hadsec Redhat Administrator Centos BaseHadsec Redhat Administrator Centos Base
Hadsec Redhat Administrator Centos Base
 
Wispi: Mini Karma Router For Pentester - Rama Tri Nanda
Wispi: Mini Karma Router For Pentester - Rama Tri NandaWispi: Mini Karma Router For Pentester - Rama Tri Nanda
Wispi: Mini Karma Router For Pentester - Rama Tri Nanda
 
SSLv3 and POODLE
SSLv3 and POODLESSLv3 and POODLE
SSLv3 and POODLE
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacks
 
Introduction to MikroTik RouterOS API
Introduction to MikroTik RouterOS APIIntroduction to MikroTik RouterOS API
Introduction to MikroTik RouterOS API
 
Mikrotik RouterOS Security Audit Checklist by Akbar Azwir
Mikrotik RouterOS Security Audit Checklist by Akbar AzwirMikrotik RouterOS Security Audit Checklist by Akbar Azwir
Mikrotik RouterOS Security Audit Checklist by Akbar Azwir
 
Christmas
ChristmasChristmas
Christmas
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
 
Family tree
Family treeFamily tree
Family tree
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
 
Adauga un text
Adauga un textAdauga un text
Adauga un text
 

Similar to Click jacking

DHTML - Events & Buttons
DHTML - Events & ButtonsDHTML - Events & Buttons
DHTML - Events & ButtonsDeep Patel
 
Tips for building fast multi touch enabled web sites
Tips for building fast multi touch enabled web sites Tips for building fast multi touch enabled web sites
Tips for building fast multi touch enabled web sitesAspenware
 
Fast multi touch enabled web sites
Fast multi touch enabled web sitesFast multi touch enabled web sites
Fast multi touch enabled web sitesAspenware
 
Getting touchy - an introduction to touch and pointer events / Frontend NE / ...
Getting touchy - an introduction to touch and pointer events / Frontend NE / ...Getting touchy - an introduction to touch and pointer events / Frontend NE / ...
Getting touchy - an introduction to touch and pointer events / Frontend NE / ...Patrick Lauke
 
How Natural User Interfaces are changing Human Computer Interaction
How Natural User Interfaces are changing Human Computer InteractionHow Natural User Interfaces are changing Human Computer Interaction
How Natural User Interfaces are changing Human Computer InteractionMarco Silva
 
tL20 event handling
tL20 event handlingtL20 event handling
tL20 event handlingteach4uin
 
Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Sudara Fernando
 
Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties Behrouz Sadeghipour
 
Accessibility Awareness Lab
Accessibility Awareness LabAccessibility Awareness Lab
Accessibility Awareness LabAlan Ho
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
Enter The back|track Linux Dragon
Enter The back|track Linux DragonEnter The back|track Linux Dragon
Enter The back|track Linux DragonAndrew Kozma
 
Multi Touch presentation
Multi Touch presentationMulti Touch presentation
Multi Touch presentationsenthil0809
 
Rosario Valotta. Abusing Browser User Interfaces for Fun and Profit.
Rosario Valotta. Abusing Browser User Interfaces for Fun and Profit.Rosario Valotta. Abusing Browser User Interfaces for Fun and Profit.
Rosario Valotta. Abusing Browser User Interfaces for Fun and Profit.Positive Hack Days
 
B2. activity and intent
B2. activity and intentB2. activity and intent
B2. activity and intentPERKYTORIALS
 
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend ReportJan 2012 Threats Trend Report
Jan 2012 Threats Trend ReportCyren, Inc
 
WCAG 2.1 update for designers
WCAG 2.1 update for designersWCAG 2.1 update for designers
WCAG 2.1 update for designersIntopia
 

Similar to Click jacking (20)

DHTML - Events & Buttons
DHTML - Events & ButtonsDHTML - Events & Buttons
DHTML - Events & Buttons
 
Tips for building fast multi touch enabled web sites
Tips for building fast multi touch enabled web sites Tips for building fast multi touch enabled web sites
Tips for building fast multi touch enabled web sites
 
Fast multi touch enabled web sites
Fast multi touch enabled web sitesFast multi touch enabled web sites
Fast multi touch enabled web sites
 
Mobile Application Development class 005
Mobile Application Development class 005Mobile Application Development class 005
Mobile Application Development class 005
 
Getting touchy - an introduction to touch and pointer events / Frontend NE / ...
Getting touchy - an introduction to touch and pointer events / Frontend NE / ...Getting touchy - an introduction to touch and pointer events / Frontend NE / ...
Getting touchy - an introduction to touch and pointer events / Frontend NE / ...
 
Clicks Aren't Connections
Clicks Aren't ConnectionsClicks Aren't Connections
Clicks Aren't Connections
 
How Natural User Interfaces are changing Human Computer Interaction
How Natural User Interfaces are changing Human Computer InteractionHow Natural User Interfaces are changing Human Computer Interaction
How Natural User Interfaces are changing Human Computer Interaction
 
tL20 event handling
tL20 event handlingtL20 event handling
tL20 event handling
 
Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android Cloak and Dagger Attacks - Android
Cloak and Dagger Attacks - Android
 
Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties Crypto Night at CSUS - Bug Bounties
Crypto Night at CSUS - Bug Bounties
 
Accessibility Awareness Lab
Accessibility Awareness LabAccessibility Awareness Lab
Accessibility Awareness Lab
 
Security gap in Internet Explorer
Security gap in Internet ExplorerSecurity gap in Internet Explorer
Security gap in Internet Explorer
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat Landscape
 
Enter The back|track Linux Dragon
Enter The back|track Linux DragonEnter The back|track Linux Dragon
Enter The back|track Linux Dragon
 
Multi Touch presentation
Multi Touch presentationMulti Touch presentation
Multi Touch presentation
 
Rosario Valotta. Abusing Browser User Interfaces for Fun and Profit.
Rosario Valotta. Abusing Browser User Interfaces for Fun and Profit.Rosario Valotta. Abusing Browser User Interfaces for Fun and Profit.
Rosario Valotta. Abusing Browser User Interfaces for Fun and Profit.
 
Abusing bu is-4.3
Abusing bu is-4.3Abusing bu is-4.3
Abusing bu is-4.3
 
B2. activity and intent
B2. activity and intentB2. activity and intent
B2. activity and intent
 
Jan 2012 Threats Trend Report
Jan 2012 Threats Trend ReportJan 2012 Threats Trend Report
Jan 2012 Threats Trend Report
 
WCAG 2.1 update for designers
WCAG 2.1 update for designersWCAG 2.1 update for designers
WCAG 2.1 update for designers
 

More from Faysal Hossain Shezan

More from Faysal Hossain Shezan (6)

Testing Alexa Skill
Testing Alexa SkillTesting Alexa Skill
Testing Alexa Skill
 
Gcp github-bigquery
Gcp github-bigqueryGcp github-bigquery
Gcp github-bigquery
 
Git Tutorial (Part 2: Git Merge)
Git Tutorial (Part 2: Git Merge)Git Tutorial (Part 2: Git Merge)
Git Tutorial (Part 2: Git Merge)
 
Security of Voice Controlled Device
Security of Voice Controlled DeviceSecurity of Voice Controlled Device
Security of Voice Controlled Device
 
How to install and use git
How to install and use gitHow to install and use git
How to install and use git
 
Android studio installation
Android studio installationAndroid studio installation
Android studio installation
 

Recently uploaded

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Click jacking

  • 1. CLICKJACKING : A WEB PAGE STEALS YOUR SOCIAL INTERACTIONS Faysal Hossain Shezan CSE,BUET
  • 2. REFERENCE CLICKJACKING : A WEB PAGE CAN HEAR and SEE YOU  Article  Publishing Year 2014/15 Clickjacking: Attacks and Defenses  Presented as part of the 21st USENIX Security Symposium (USENIX Security 12)  Publishing Year 2012
  • 3. OVERVIEW Root cause of clickjacking is identified New variants of ClickJacking attack Drawbacks of existing defense Proposing a new defense mechanism A survey on Amazon Mechanical Turk with 2064 participants
  • 4. WHAT IS CLICKJACKING? •User click is hijacked in order to perform some action of hacker's interest •Known as "UI redress attack“ •Attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page
  • 5. CLICK EVENT • Pressing a button • Moving your mouse over a link • Submitting a form
  • 6. IFRAME A webpage can contain another webpage in it. Example : Google map
  • 7. OPACITY HTML elements can be solid, partially transparent or even invisible.
  • 8. STACKING ORDER A webpage can contain another webpage in it. Example : Google map
  • 9. HOW DOES IT OCCUR? •The target page is constructed to lure the victim to click on an object. •The click action is made to land on some other object and hence used to perform an action that the victim did not intended. This is the root cause.
  • 10. HOW DOES IT OCCUR? Frame busting to thwart Cross Frame Scripting attack code snippet: <script type="text/JavaScript"> if(top != self) top.location.replace(location); </script> Page could be framed. Parent frame control the entire display shown to the user which tricks user to click hidden child frame
  • 11. THREAT TO USER •Tricking users into enabling their webcam and microphone through Flash •Tricking users into making their social networking profile information public Downloading and running a malware (malicious software) allowing to a remote attacker to take control of others computers Making users follow someone on Twitter •Sharing or liking links on Facebook •Getting likes on Facebook fan page or +1 on Google Plus •Clicking Google AdSense ads to generate pay per click revenue •Playing YouTube videos to gain views •Following someone on Facebook
  • 13. STEPS TAKEN SO FAR… X-Frame-Options gave three options: X-Frame- Options: DENY X-Frame- Options: SAMEORIGIN X-Frame- Options: ALLOW-FROM www.xyz.com Drawback of XFO SAMEORIGIIN
  • 14. CLASSIFICATION Compromising target display integrity  Hiding the target element  Likejacking  Tweet bomb  Partial overlays Compromising pointer integrity  Cursorjacking  Stroke jacking Compromising temporal integrity  Bait and switch
  • 15. COMPROMISING TARGET DISPLAY INTEGRITY Attacker creates an illusion for the victim Irritating for legitimate object over a target object Victim gets confused and clicks on the object Actual click lands media site to gain specific information on the target
  • 16. COMPROMISING TARGET DISPLAY INTEGRITY Exploit process for Facebook
  • 17. COMPROMISING TARGET DISPLAY INTEGRITY LikeJacking • Attacker presents a web frame that contains two iframe stacked over one another • Lower frame designed with a Facebook “Like” button • Upper frame shows some attractive content
  • 18. COMPROMISING TARGET DISPLAY INTEGRITY Tweet Bomb • Mulltiple dummy accounts • Sending large number of tweets in a short interval • Become the trending topic in tweeter
  • 19. COMPROMISING POINTER INTEGRITY •Attacker displays blinking cursor in a text field •Victim clicks in the text field and his click is hijacked • Attacker displays a fake cursor icon • Victim gets confused and then misinterprets the cursor
  • 20. COMPROMISING POINTER INTEGRITY Cursorjacking • Attacker display a false cursor which is away from the actual one • Wrong perception of the actual position of the cursor • Custom mouse cursor icon which is shifted a few pixels away from the actual spot http://koto.github.io/blog-kotowicz-net- examples/cursorjacking/
  • 21. COMPROMISING POINTER INTEGRITY Strokejacking •Blinking cursor which asks for a keyboard input •Attacker switch keyboard focus to the target element •Blinking cursor confuses victims into thinking that they are typing text into the attacker’s input field, whereas they are actually interacting with the target element.
  • 22. COMPROMISING TEMPORAL INTEGRITY Bait and switch • Mouse comes near “claim your free iPad” button, like moves to its location before the user realizes it.
  • 23. COMPROMISING TEMPORAL INTEGRITY •Attacker captures the mouse hovering event •When the click is just about to launch , attacker swaps the position of the target element and the decoy element •To increase the probability of success attacker may ask the victim to click multiple times or double click
  • 24. CLICKJACKING THROUGH ONLINE GAMING • Dummy web page that contains an online game • Attacker places the play button below the transparent facebook Like button
  • 25. NEW ATTACK VARIANTS •Attack Technique: Cursor spoofing •Attack Success: 43% •Fake cursor is displayed to the user •Loud video or audio automatically plays
  • 26. NEW ATTACK VARIANTS •Attack Technique: Popup Window •Attack Success: 47% •Attacker lure the victim to perform double click •After first click Google OAauth pops up and attacker steals the private data
  • 27. NEW ATTACK VARIANTS •Attack Technique: Cursor Spoofing + Fast-paced Clicking •Attack Success: 98% •Known as Whack a mole attack •User needs to click on an object to get the reward •Suddenly Object is replaced by facebook Like button
  • 29. EXISTING DEFENSE Frame Killer User Confirmation UI Randomization Opaque Overlay Policy Frame Busting Visibility detection on click •Clear Click •Click IDS UI Delays
  • 30. INCONTEXT DEFENSE Goal: •Does not require user prompts •Provides point integrity protection •Supports target elements that require arbitrary third-party embedding •Does not break existing sites
  • 31. INCONTEXT DEFENSE Ensuring Visual Integrity •Find the Sensitive Element •compares the cropped screenshot with the reference bitmap •ClickJacking detects when mismatch found
  • 32. INCONTEXT DEFENSE Ensuring visual integrity of pointer • Remove cursor customization - Attack success: 43% -> 16%
  • 33. INCONTEXT DEFENSE Ensuring visual integrity of pointer • Freeze screen when sensitive elements found - Attack success : 4%
  • 34. • Mute the speaker when sensitive elements interacts - Attack success: 43% - Attack success (Mute + Freeezing): 2% INCONTEXT DEFENSE Ensuring visual integrity of pointer
  • 35. INCONTEXT DEFENSE Ensuring visual integrity of pointer • Lightbox effect around pop up dialog - Attack success: 43% - Attack success ( Lightbox + Freezing + Mute): 2% • No programmatic cross-origin keyboard focus changes
  • 36. INCONTEXT DEFENSE Ensuring Temporal Integrity •UI delay after pointer entry •Point re-entry on a newly visible sensitive element • When a sensitive UI element first appears or is moved to a location where it will overlap with the current location of the pointer, user needs to re-entry •Padding area around sensitive element
  • 37. EXPERIMENT RESULT Results of double-click attack
  • 38. EXPERIMENT RESULT 1. Base control 68 26 35 3 4 (5%) 2. Persuasion control 73 65 0 2 6 (8%) 3. Attack 72 38 0 3 31 (43%) 4. No cursor styles 72 34 23 3 12 (16%) 5a. Freezing (M=0px) 70 52 0 7 11 (15%) 5b. Freezing (M=10px) 72 60 0 3 9 (12%) 5c. Freezing (M=20px) 72 63 0 6 3 (4%) 6. Muting + 5c 70 66 0 2 2 (2%) 7. Lightbox + 5c 71 66 0 3 2 (2%) 8. Lightbox + 6 71 60 0 8 3 (4%) Treatment Group Total Timeout Skip Quit Attack Success Results of the cursor-spoofing attack
  • 39. CONCLUSION •This paper introduce a new mechanism to prevent clickjacking •From the survey, the effectiveness of the InContext defense mechanishm is showed •New Variants of attacks are raising •Need to detect other techniques of clickjacking and find a way to thwart those