Something about Clickjacking

Let’s watch a youtube video first:  Clickjacking

As we see that, After playing a simple game, the player’s webcam got clickjacked.
Here is another video from Google video, New Zero-Day Browser Exploits -ClickJacking, which will show you a detailed descrtion about ClickJacking.

Here is another web page from google employee:

“For a couple of months now, along with a number of my colleagues at Google, we were investigating a security problem that we feel is very difficult or impossible to avoid on application side, and might be best addressed on HTML or HTTP level in contemporary browsers. These problems had recently gained some mainstream attention, and so we hoped to discuss potential solutions, and perhaps gain some traction for long-term fixes.

Problem definition: a malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as “delete all items”, “click to add Bob as a friend”, etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it. Although the examples above are naive, this is clearly a problem for a good number of modern, complex web applications.

Practical, real-world examples of such “UI redress” attacks were demonstrated in the past, and recently resurfaced on an OWASP conference (under the name of “clickjacking”); some references include:

* http://www.thespanner.co.uk/2008/02/11/csrf-chat/
* https://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
* http://lists.immunitysec.com/pipermail/dailydave/2008-September/005356.h…

We feel that current web browser designs provide no adequate tools for web
site owners to protect their applications against such attacks. The two
workarounds often employed right now are:”

Read more details please click here.

Share Button

Leave a comment

Your email address will not be published. Required fields are marked *