View
221
Download
0
Category
Preview:
Citation preview
8/11/2019 Hari Narayana - Copy
1/19
8/11/2019 Hari Narayana - Copy
2/19
Security Nightmare
8/11/2019 Hari Narayana - Copy
3/19
CONTENTS
AbstractIntroduction
Main Topic
Future Scope
ConclusionReferences
8/11/2019 Hari Narayana - Copy
4/19
ABSTRACT
Clickjacking attacks are an emerging threats on the web. Clickjackicause severe damages, including compromising a users private webcoother private data and web surfing anonymity.The root cause of Clickjacking is tattacker application presents a sensitive UI element of a target application context to a user,and hence the user is tricked to act out of context.To address thicause mark the UI elements which are sensitive and browsers enforce context int
of user action on these sensitive UI elements,ensuring that user caeverything.Recent studies states that these attacks have 43% to 98% of success ra
8/11/2019 Hari Narayana - Copy
5/19
8/11/2019 Hari Narayana - Copy
6/19
INTRODUCTION
Clickjacking is a malicious technique of tricking a webuser to click on an invisible page.
The term Clickjacking was coined by JeremiahGrossman And Robert Hansen.
Jeremiah GrossmanRobert Hansen
8/11/2019 Hari Narayana - Copy
7/19
CONTD..
Multiple applications or websites share a general display, they are subjecte
the clickjacking.Attackers can trick the user into interacting with the UI elements of antriggering actions not intended by the user.
Clicking,touching and voice controlling are some of the actions through wuser can be attacked.
When an attacker web page tricks users into clicking on Facebook Li by transperantly overlaying on top of innocuous UI element,such as Free ipad button.
Frame Busting is one of the anti clickjacking methods,but it is fundamenincompatible with the embeddable third party widgets,such as Facebook
buttons.
8/11/2019 Hari Narayana - Copy
8/19
8/11/2019 Hari Narayana - Copy
9/19
8/11/2019 Hari Narayana - Copy
10/19
ANTI-CLICKJACKING DEFENCES
Several Anti-Clickjacking methods have been Proposed and Some ha
developed by the Browsers.Protecting Visual Context
User Conformation
UI Randomization
Opaque overlay policy
Framebusting
Visibility Detection on Click
Protecting Temporal Context
Access Control Gadgets
8/11/2019 Hari Narayana - Copy
11/19
8/11/2019 Hari Narayana - Copy
12/19
NEW ATTACK VARIANTS
Cursor Spoofing Attacks
8/11/2019 Hari Narayana - Copy
13/19
Double-Click Attacks
Double-Click Attack Page
8/11/2019 Hari Narayana - Copy
14/19
Whake-a-mole Attacks
Several Experiments are conducted on this new Attack Variants of theClickjacking .
8/11/2019 Hari Narayana - Copy
15/19
Future Scope
Use of javascript to position the hidden Iframe
Use of URL fragment identifiers to accurately align theframe content
Inject controlled text into a form field using the browser's
drag-and-drop API (HTML5)
same-origin policy does not applied here.
Java allow to override the default behavior.
initiate the drag with a simple click Steal the content (and HTML) ocross-domain page.
8/11/2019 Hari Narayana - Copy
16/19
Conclusion
Survey of existing clickjacking attacks and defenses. Firstuser study on the effectiveness of clickjackingattacks.Introduced the concept of context integrity and used it todefine and characterize clickjacking attacks and their rootcauses. Designed, implemented, and evaluated InContext,a setof techniques to maintain context integrity. Amazon MechanicalTurk show that our attacks are highly effective with successrates ranging from 43% to 98%.
8/11/2019 Hari Narayana - Copy
17/19
References
F. Aboukhadijeh. HOW TO: Spy on the Webcams of YourWebsite Visitors. http://www.feross.org/webcamspy/, 2011.
Adobe. Flash OBJECT and EMBED tag attributes.http://kb2.adobe.com/cps/127/tn_12701.html, 2011.G. Aharonovsky. Malicious camera spying using ClickJackinghttp://blog.guya.net/2008/10/07/malicious-camera-spying-usingclickjacking/, 2L. C. Aun. Clickjacking with pointer-events. http:// jsbin.com/img.
8/11/2019 Hari Narayana - Copy
18/19
8/11/2019 Hari Narayana - Copy
19/19
Recommended