SlideShare a Scribd company logo

Click jacking

Ronan Dunne, CEH, SSCP
Ronan Dunne, CEH, SSCP

http://dunne3.wordpress.com/

Technology
1 of 26
 What is ClickJacking?  Demo  How Users can be Affected  Similarities with another Attack  How to protect Web Application  How to Identify Exploitable Web Application  How to test Applications  Previous ClickJacking Attacks  Summary
 Discovered in 2008-Robert Hansen, Jeremiah Grossman as a way to perform cross-domain attacks by ‘hijacking 'user- initiated mouse clicks to perform actions that the user did not intend.  Attacker will choose a clickable region on a website that the user is currently authenticated on (e.g. a ‘Submit’ button that will perform a particular action).  To perform the attack, a malicious website will load a page from the website inside an iFrame made fully transparent and layered on top of another element on the site.
 Previously Stated: ClickJacking is one of the more under rated attacks facing modern Web applications.  This is one reason it doesn’t find a mention in the OWASP Top 10 list so far but it is predicted to feature in the next version.
A web page can embed another web page via iframe <iframe src="http://bing.com"></iframe> CSS opacity attribute: 1 = visible, 0 = invisible
 Putting an evil invisible link on top of a legit visible link,
 http://playground.nebulassolutions.com/framer.html  http://playground.nebulassolutions.com/index.php?p age=framing.php
 Opacity iFrame invisible
 Opacity set too 0
 Users can be tricked into clicking on obscured user interface elements of an application and in so doing initiate actions against their will, Such as;  Adding an attacker to a victim’s social graph  Promoting the attacker’s content on a social network  Sending a payment to the attacker  Compromising the user’s session to impersonate the victim user on the application  Tricking the user into submitting sensitive credential information  Performing a privileged action on behalf of the user (Create or Delete accounts, etc..)
 Both want to trick the victim into requesting something that the attacker wants.  But ClickJacking allows them to CSRF a page that actually requires a manual click.  ClickJacking allows an attacker to bypass CSRF protections put in place by a website.  The user is tricked into submitting a form directly from the website itself, so there is no need for the attacker to know hidden or secret values in the form, such as CSRF tokens.
Frame Busting  A page using this method will detect that is has been framed by another web site, and attempt to load itself in place of the site that is framing it (thus ‘busting out’ of the frame). Common Frame Busting Code <script type="text/javascript"> if (top != self) { //condition top.location = self.location; //counter action } </script>  However, a malicious site may try to use the onunload and onbeforeunload page events to prevent a framed site from navigating to a different URL.  Also JavaScript can be easily Disabled.
X-Frame-Option Browser vendors are now implementing declarative methods such as X-Frame-Options3, first introduced by Microsoft in Internet Explorer 8. Web browsers that support this security feature will prevent a web page being displayed in an iFrame if the X-Frame-Options header is set by the page.
Add X-Frame-Options on HTTP Response header  Allows an application to specify whether or not specific pages of the site can be framed.  Option 1: DENY HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “DENY”);  This option means the page can never be framed by any page, including a page with the same origin.  Option 2: SAMEORIGIN HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “SAMEORIGIN”);  This option means the page can be framed, but only by another page with the same origin  Option 3: Allow-From HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “Allow-From https://some.othersite.com”);  This option means the page can be framed, but only by the specified origin.
 Important for Developers too add the X-Frame- Options Header Server Side as many users still use old browsers, leaving them at risk from ClickJacking.  Namely IE6 and IE7 don’t know about this header.
 OWASP ZAP’s 1.4.0.1 Active Scan Alerts the user to this issue if the X-Frame-Option header is missing .  Also the Tester can capture the Response to verify Manually.
Twitter  Exploit: Force twitter users to post a message Facebook  Exploit: Force users to Advertising and Affiliate Networks  Force users to click on ads for $$$ CYBER CRIME CASH $$$ Adobe Flash  Adjust the privacy settings to turn on the camera and microphone
 Attackers can trick victim browsers into clicking on things in victim websites by putting that website in a transparent iframe.  We harden our sites through adding a new Response Header ‘X-Frame- Options’.  Many users still use old browsers, leaving them at risk from ClickJacking.  Also any client side validation with JavaScript is easily turned off. The good news  ClickJacking is simple to prevent. The bad news  The vulnerability is powerful and prevalent.  Many web applications have ClickJacking vulnerabilities.
Click jacking

Recommended

HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Blind XSS & Click Jacking
Blind XSS & Click JackingBlind XSS & Click Jacking
Blind XSS & Click Jacking
n|u - The Open Security Community
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 

Recommended

HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Blind XSS & Click Jacking
Blind XSS & Click JackingBlind XSS & Click Jacking
Blind XSS & Click Jacking
n|u - The Open Security Community
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
Cross Origin Resource Sharing
Cross Origin Resource SharingCross Origin Resource Sharing
Cross Origin Resource Sharing
Luke Weerasooriya
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17
Sagar M Parmar
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Dom based xss
Dom based xssDom based xss
Dom based xss
Lê Giáp
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
Secure Code Warrior
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Http methods
Http methodsHttp methods
Http methods
maamir farooq
 
Content security policy
Content security policyContent security policy
Content security policy
Ronan Dunne, CEH, SSCP
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
Mohammed Fazuluddin
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
Shane Stanley
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Blind xss
Blind xssBlind xss
Blind xss
Ronan Dunne, CEH, SSCP
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
Ronan Dunne, CEH, SSCP
 

More Related Content

What's hot

Dom based xss
Dom based xssDom based xss
Dom based xss
Lê Giáp
 

What's hot (20)

Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
XSS
XSSXSS
XSS
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Dom based xss
Dom based xssDom based xss
Dom based xss
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Http methods
Http methodsHttp methods
Http methods
 
Content security policy
Content security policyContent security policy
Content security policy
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityRest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API Security
 
A10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and ForwardsA10 - Unvalidated Redirects and Forwards
A10 - Unvalidated Redirects and Forwards
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 

Viewers also liked

Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
Marco Balduzzi
 
Sagi kahalany the art of clickjacking
Sagi kahalany the art of clickjackingSagi kahalany the art of clickjacking
Sagi kahalany the art of clickjacking
Barry Schwartz
 

Viewers also liked (20)

Blind xss
Blind xssBlind xss
Blind xss
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
Click jacking
Click jacking Click jacking
Click jacking
 
Apache Multiview Vulnerability
Apache Multiview VulnerabilityApache Multiview Vulnerability
Apache Multiview Vulnerability
 
Clickjacking Attack
Clickjacking AttackClickjacking Attack
Clickjacking Attack
 
Click Jacking
Click JackingClick Jacking
Click Jacking
 
Qr codes
Qr codesQr codes
Qr codes
 
Mime sniffing
Mime sniffingMime sniffing
Mime sniffing
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
Unicode
UnicodeUnicode
Unicode
 
Sagi kahalany the art of clickjacking
Sagi kahalany the art of clickjackingSagi kahalany the art of clickjacking
Sagi kahalany the art of clickjacking
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
01.introduction
01.introduction01.introduction
01.introduction
 
Hadsec Redhat Administrator Centos Base
Hadsec Redhat Administrator Centos BaseHadsec Redhat Administrator Centos Base
Hadsec Redhat Administrator Centos Base
 
Wispi: Mini Karma Router For Pentester - Rama Tri Nanda
Wispi: Mini Karma Router For Pentester - Rama Tri NandaWispi: Mini Karma Router For Pentester - Rama Tri Nanda
Wispi: Mini Karma Router For Pentester - Rama Tri Nanda
 
SSLv3 and POODLE
SSLv3 and POODLESSLv3 and POODLE
SSLv3 and POODLE
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacks
 

Similar to Click jacking

Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
mydrynan
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
yashvirsingh48
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A J
bhardwajakshay
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
guestdb261a
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 

Similar to Click jacking (20)

.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid them
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
 
XSS Exploitation
XSS ExploitationXSS Exploitation
XSS Exploitation
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A J
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Attack with-html5
Attack with-html5Attack with-html5
Attack with-html5
 
Antiviruxss
AntiviruxssAntiviruxss
Antiviruxss
 
05370705
0537070505370705
05370705
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Click jacking

  • 1.
  • 2.  What is ClickJacking?  Demo  How Users can be Affected  Similarities with another Attack  How to protect Web Application  How to Identify Exploitable Web Application  How to test Applications  Previous ClickJacking Attacks  Summary
  • 3.  Discovered in 2008-Robert Hansen, Jeremiah Grossman as a way to perform cross-domain attacks by ‘hijacking 'user- initiated mouse clicks to perform actions that the user did not intend.  Attacker will choose a clickable region on a website that the user is currently authenticated on (e.g. a ‘Submit’ button that will perform a particular action).  To perform the attack, a malicious website will load a page from the website inside an iFrame made fully transparent and layered on top of another element on the site.
  • 4.  Previously Stated: ClickJacking is one of the more under rated attacks facing modern Web applications.  This is one reason it doesn’t find a mention in the OWASP Top 10 list so far but it is predicted to feature in the next version.
  • 5. A web page can embed another web page via iframe <iframe src="http://bing.com"></iframe> CSS opacity attribute: 1 = visible, 0 = invisible
  • 6.  Putting an evil invisible link on top of a legit visible link,
  • 8.  Opacity iFrame invisible
  • 10.  Users can be tricked into clicking on obscured user interface elements of an application and in so doing initiate actions against their will, Such as;  Adding an attacker to a victim’s social graph  Promoting the attacker’s content on a social network  Sending a payment to the attacker  Compromising the user’s session to impersonate the victim user on the application  Tricking the user into submitting sensitive credential information  Performing a privileged action on behalf of the user (Create or Delete accounts, etc..)
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.  Both want to trick the victim into requesting something that the attacker wants.  But ClickJacking allows them to CSRF a page that actually requires a manual click.  ClickJacking allows an attacker to bypass CSRF protections put in place by a website.  The user is tricked into submitting a form directly from the website itself, so there is no need for the attacker to know hidden or secret values in the form, such as CSRF tokens.
  • 18. Frame Busting  A page using this method will detect that is has been framed by another web site, and attempt to load itself in place of the site that is framing it (thus ‘busting out’ of the frame). Common Frame Busting Code <script type="text/javascript"> if (top != self) { //condition top.location = self.location; //counter action } </script>  However, a malicious site may try to use the onunload and onbeforeunload page events to prevent a framed site from navigating to a different URL.  Also JavaScript can be easily Disabled.
  • 19.
  • 20. X-Frame-Option Browser vendors are now implementing declarative methods such as X-Frame-Options3, first introduced by Microsoft in Internet Explorer 8. Web browsers that support this security feature will prevent a web page being displayed in an iFrame if the X-Frame-Options header is set by the page.
  • 21. Add X-Frame-Options on HTTP Response header  Allows an application to specify whether or not specific pages of the site can be framed.  Option 1: DENY HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “DENY”);  This option means the page can never be framed by any page, including a page with the same origin.  Option 2: SAMEORIGIN HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “SAMEORIGIN”);  This option means the page can be framed, but only by another page with the same origin  Option 3: Allow-From HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “Allow-From https://some.othersite.com”);  This option means the page can be framed, but only by the specified origin.
  • 22.  Important for Developers too add the X-Frame- Options Header Server Side as many users still use old browsers, leaving them at risk from ClickJacking.  Namely IE6 and IE7 don’t know about this header.
  • 23.  OWASP ZAP’s 1.4.0.1 Active Scan Alerts the user to this issue if the X-Frame-Option header is missing .  Also the Tester can capture the Response to verify Manually.
  • 24. Twitter  Exploit: Force twitter users to post a message Facebook  Exploit: Force users to Advertising and Affiliate Networks  Force users to click on ads for $$$ CYBER CRIME CASH $$$ Adobe Flash  Adjust the privacy settings to turn on the camera and microphone
  • 25.  Attackers can trick victim browsers into clicking on things in victim websites by putting that website in a transparent iframe.  We harden our sites through adding a new Response Header ‘X-Frame- Options’.  Many users still use old browsers, leaving them at risk from ClickJacking.  Also any client side validation with JavaScript is easily turned off. The good news  ClickJacking is simple to prevent. The bad news  The vulnerability is powerful and prevalent.  Many web applications have ClickJacking vulnerabilities.