16
CLICKJACKING Security Nightmare

Clickjacking Attack

Tags:

Embed Size (px)

DESCRIPTION

Seminar

Citation preview

Page 1: Clickjacking Attack

CLICKJACKINGSecurity Nightmare

Page 2: Clickjacking Attack

Jeremiah Grossman (Whitehat Security)

Robert Hansen(SecTheory)

2008

Page 3: Clickjacking Attack

also known as a "UI redress attack"

…is a malicious technique of tricking a web user…

…into clicking on something different… from what the user perceives they are clicking on

Page 4: Clickjacking Attack

12 cases

+ Browser+ Plug-in+ Website

NOT ALL

Page 5: Clickjacking Attack
Page 6: Clickjacking Attack
Page 7: Clickjacking Attack

<iframe>opacity & z-index

Page 8: Clickjacking Attack

My page (malicious page)w3schools.com

<iframe src=http://www.w3schools.com></iframe>

Page 9: Clickjacking Attack

opacity: 1;z-index: 0;

Page 10: Clickjacking Attack

opacity: 0.5;z-index: 1;

Page 11: Clickjacking Attack
Page 12: Clickjacking Attack

Server side

• X-Frame-Options

• Framebuster

Client side

• No-Script

Page 13: Clickjacking Attack

Header append X-Frame-Options “DENY”

Page 14: Clickjacking Attack

Framebuster

Page 15: Clickjacking Attack

No-Scripts add-on

Page 16: Clickjacking Attack

Clickjacking For Shells - owasp

Clickjacking For Shells - owasp

Documents
Next Generation Clickjacking - Black Hat Briefingsmedia.blackhat.com/bh-eu-10/presentations/Stone/BlackHat... · 2012-04-07 · Clickjacking vs. The Rest Cross-Site Scripting •

Next Generation Clickjacking - Black Hat Briefingsmedia.blackhat.com/bh-eu-10/presentations/Stone/BlackHat... · 2012-04-07 · Clickjacking vs. The Rest Cross-Site Scripting •

Documents
Computer Security: Clickjacking - University of Washington · CSE 484 / CSE M 584 Computer Security: Clickjacking Jared Moore jlcmoore@cs.washington.edu Thanks to Franzi Roesner,

Computer Security: Clickjacking - University of Washington · CSE 484 / CSE M 584 Computer Security: Clickjacking Jared Moore [email protected] Thanks to Franzi Roesner,

Documents
Next Generation Clickjacking - Black Hat Briefings · © Context Information Security Limited / Commercial in Confidence Date[Edit in slide master] Next Generation Clickjacking

Next Generation Clickjacking - Black Hat Briefings · © Context Information Security Limited / Commercial in Confidence Date[Edit in slide master] Next Generation Clickjacking

Documents
Network Security and Privacy - University of Texas …shmat/courses/cs378_spring07/...Clickjacking in the Wild Google search for “clickjacking” returns 624,000 results… this

Network Security and Privacy - University of Texas …shmat/courses/cs378_spring07/...Clickjacking in the Wild Google search for “clickjacking” returns 624,000 results… this

Documents
Next Generation Clickjacking

Next Generation Clickjacking

Documents
Busting Frame Busting: a Study of Clickjacking ...seclab.stanford.edu/websec/framebusting/framebust.pdf · Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular

Busting Frame Busting: a Study of Clickjacking ...seclab.stanford.edu/websec/framebusting/framebust.pdf · Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular

Documents
Toward Secure Embedded Web Interfaces · 2019-02-25 · Clickjacking attacks [18] are the most recent, and most overlooked attack vectors as all devices were vulnerable to them. While

Toward Secure Embedded Web Interfaces · 2019-02-25 · Clickjacking attacks [18] are the most recent, and most overlooked attack vectors as all devices were vulnerable to them. While

Documents
Next Generation Clickjacking - Black Hat | Home

Next Generation Clickjacking - Black Hat | Home

Documents
Clickjacking DevCon2011

Clickjacking DevCon2011

Technology
UI Redressing and Clickjacking: About click fraud and data theft2011.zeronights.org/files/marcusniemietz-uiredressingand... · 2016-08-16 · Introduction Attack vectors Counteractive

UI Redressing and Clickjacking: About click fraud and data theft2011.zeronights.org/files/marcusniemietz-uiredressingand... · 2016-08-16 · Introduction Attack vectors Counteractive

Documents
More attacks on Clients: Clickjacking/UI redressing, CSRF · 2015-04-07 · More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7 2 7

More attacks on Clients: Clickjacking/UI redressing, CSRF · 2015-04-07 · More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7 2 7

Documents
MODERN WEB SECURITY - University Of Maryland · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script)

MODERN WEB SECURITY - University Of Maryland · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script)

Documents
Clickjacking: Attacks and Defenses - USENIX...Defining clickjacking • Prerequisite: multiple mutually distrusting applications sharing the same display • An attack application

Clickjacking: Attacks and Defenses - USENIX...Defining clickjacking • Prerequisite: multiple mutually distrusting applications sharing the same display • An attack application

Documents
Accessibility Clickjacking, Devastating Android Vulnerability

Accessibility Clickjacking, Devastating Android Vulnerability

Mobile
Busting Frame Busting: a Study of Clickjacking ... · a Study of Clickjacking Vulnerabilities on Popular Sites ... Web framing attacks such as clickjacking use ... We also surveyed

Busting Frame Busting: a Study of Clickjacking ... · a Study of Clickjacking Vulnerabilities on Popular Sites ... Web framing attacks such as clickjacking use ... We also surveyed

Documents
WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the

WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the

Documents
Web Security Attack Trends & Case Sharingindex-of.co.uk/Various/20100720_01.pdf · 2019. 3. 7. · Page 6 And now… Social Engineering trick allowed a clickjacking worm to spread

Web Security Attack Trends & Case Sharingindex-of.co.uk/Various/20100720_01.pdf · 2019. 3. 7. · Page 6 And now… Social Engineering trick allowed a clickjacking worm to spread

Documents
Clickjacking For Shells - Security Assessment

Clickjacking For Shells - Security Assessment

Documents
Defending against XSS,CSRF, and Clickjacking David Bishop · Defending against XSS,CSRF, and Clickjacking David Bishop University of Tennessee Chattanooga ABSTRACT Whenever a person

Defending against XSS,CSRF, and Clickjacking David Bishop · Defending against XSS,CSRF, and Clickjacking David Bishop University of Tennessee Chattanooga ABSTRACT Whenever a person

Documents
System Architecture and Security Model for ContractRoom...Clickjacking protection Clickjacking is a type of attack where a malicious site wraps another site in a frame. This attack

System Architecture and Security Model for ContractRoom...Clickjacking protection Clickjacking is a type of attack where a malicious site wraps another site in a frame. This attack

Documents
Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but

Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but

Documents
UI Redressing: Attacks and Countermeasures Revisitedindex-of.co.uk/Clickjacking/uiRedressing.pdf · “clickjacking” and it is also known under the previously used term “UI redressing”

UI Redressing: Attacks and Countermeasures Revisitedindex-of.co.uk/Clickjacking/uiRedressing.pdf · “clickjacking” and it is also known under the previously used term “UI redressing”

Documents
OnlineDetection&PreventionofClickjacking Attacks · malicious scripts to be executed on the client side and to carry out Clickjacking attacks in on all web browserplatforms. Clickjacking

OnlineDetection&PreventionofClickjacking Attacks · malicious scripts to be executed on the client side and to carry out Clickjacking attacks in on all web browserplatforms. Clickjacking

Documents
Context-Clickjacking White Paper

Context-Clickjacking White Paper

Documents
14.8.6 December 2017 3725-78311-001L Polycom Video Border ... · clickjacking vulnerability. Clickjacking will compromise sensitive information and weaken the effectiveness of a user’s

14.8.6 December 2017 3725-78311-001L Polycom Video Border ... · clickjacking vulnerability. Clickjacking will compromise sensitive information and weaken the effectiveness of a user’s

Documents
New Computer Security Threat - ClickJacking

New Computer Security Threat - ClickJacking

Documents
Clickjacking: An empirical study with an automated testing ...Clickjacking is not among the preferred attack vector adopted by miscreants on the Internet It is complicated to setup

Clickjacking: An empirical study with an automated testing ...Clickjacking is not among the preferred attack vector adopted by miscreants on the Internet It is complicated to setup

Documents
Kentico 9 · Clickjacking Clickjacking is a type of attack where the attacker tricks website users into clicking something different than what they see, thus performing an action

Kentico 9 · Clickjacking Clickjacking is a type of attack where the attacker tricks website users into clicking something different than what they see, thus performing an action

Documents
SY306 Web and Databases for Cyber Operations Slide · PDF fileSY306 Web and Databases for Cyber Operations Slide Set #3: CSS Style! 2 ClickJacking Attack! • By loading Adobe Flash

SY306 Web and Databases for Cyber Operations Slide · PDF fileSY306 Web and Databases for Cyber Operations Slide Set #3: CSS Style! 2 ClickJacking Attack! • By loading Adobe Flash

Documents