Your SlideShare is downloading. ×
0
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

I haz your mouse clicks and key strokes

2,199

Published on

This technically light talk+demo will show you how and what are User Interface Redressing Attacks. …

This technically light talk+demo will show you how and what are User Interface Redressing Attacks.

Web Applications using HTML5 + JavaScript + CSS + Modern Browsers are vulnerable to attacks such as Clickjacking, Strokejacking, Cursor Tracking, Unxploitable XSS and Facebook Like attacks.

TL;DR Cool demo and simple to understand explaination of ClickJacking

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,199
On Slideshare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • OWASP DefinitionClickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attackerWikiPediaClickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Webuser into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.[1][2][3][4] It is a browser security issue that is a vulnerability across a variety of browsers and platforms, a clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.[5] The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.[citation needed]Clickjacking can be understood as an instance of the confused deputy problem.[6]
  • Talk about CSS Z OrderHow cursor, keystrokes can be followed
  • Transcript

    • 1. I haz your mouse clicks & key strokesAkash Mahajan @ MetaRefresh 2012
    • 2. click · jack · ing |klɪk ˈdʒækɪŋ|verb1. User Interface redress attack, UI redress attack, UI Redressing2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
    • 3. How to like anything on Facebook/Internet
    • 4. Flash Settings Player : BecauseSWF files can be iframed!
    • 5. Twitter Don’t ClickAttack
    • 6. FAKE REALREAL FAKE
    • 7. Mitigations• Frame Bursting –Why it fails• X Frames Header
    • 8. Frame Bursting / Frame Killers i f ( t o p . l o c a t i o n != l o c a t i o n )top.location=self.location;
    • 9. Best JavaScript code for Frame Bursting<s t y l e >html f v i s i b i l i t y : h i d d e n g</ s t y l e ><s c r i p t >i f ( s e l f == t o p ) fdocument . documentElement . s t y l e . v i s i b i l i t y =’visible’;gelseftop.location=self.location;g</ s c r i p t >
    • 10. X-Frame-Options• Used to prevent Clickjacking• Doesn’t allow page to be rendered in a frame• DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin• IE8+, FF4+, Chrome5+
    • 11. Akash Mahajan That Web Application Security Guy http://akashm.com | @makashakashmahajan@gmail.com | 9980527182
    • 12. References• Keyboard Cat CC NC SA http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/• I haz your mouse clicks and key strokes http://cheezburger.com/6135914240• Just One question http://www.quickmeme.com/meme/3ow548/• Slides 6 and 7 from https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for- shells_PDF-version.pdf• http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf• (NoScript image source: Andrew Masons Flickr photostream).• http://erickerr.com/like-clickjacking• http://arnab.org/blog/reputation-misrepresentation• http://erickerr.com/misc/like-clickjacking.js• http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/• http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html

    ×