Click jacking


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Click jacking

  1. 1.  What is ClickJacking? Demo How Users can be Affected Similarities with another Attack How to protect Web Application How to Identify Exploitable Web Application How to test Applications Previous ClickJacking Attacks Summary
  2. 2.  Discovered in 2008-Robert Hansen, Jeremiah Grossman as a way to perform cross-domain attacks by ‘hijacking user- initiated mouse clicks to perform actions that the user did not intend. Attacker will choose a clickable region on a website that the user is currently authenticated on (e.g. a ‘Submit’ button that will perform a particular action). To perform the attack, a malicious website will load a page from the website inside an iFrame made fully transparent and layered on top of another element on the site.
  3. 3.  Previously Stated: ClickJacking is one of the more under rated attacks facing modern Web applications. This is one reason it doesn’t find a mention in the OWASP Top 10 list so far but it is predicted to feature in the next version.
  4. 4. A web page can embed another web page via iframe <iframe src=""></iframe>CSS opacity attribute: 1 = visible, 0 = invisible
  5. 5.  Putting an evil invisible link on top of a legit visible link,
  6. 6.  age=framing.php
  7. 7.  Opacity iFrame invisible
  8. 8.  Opacity set too 0
  9. 9.  Users can be tricked into clicking on obscured user interface elements of an application and in so doing initiate actions against their will, Such as;  Adding an attacker to a victim’s social graph  Promoting the attacker’s content on a social network  Sending a payment to the attacker  Compromising the user’s session to impersonate the victim user on the application  Tricking the user into submitting sensitive credential information  Performing a privileged action on behalf of the user (Create or Delete accounts, etc..)
  10. 10.  Both want to trick the victim into requesting something that the attacker wants. But ClickJacking allows them to CSRF a page that actually requires a manual click. ClickJacking allows an attacker to bypass CSRF protections put in place by a website.  The user is tricked into submitting a form directly from the website itself, so there is no need for the attacker to know hidden or secret values in the form, such as CSRF tokens.
  11. 11. Frame Busting A page using this method will detect that is has been framed by another web site, and attempt to load itself in place of the site that is framing it (thus ‘busting out’ of the frame). Common Frame Busting Code <script type="text/javascript"> if (top != self) { //condition top.location = self.location; //counter action } </script> However, a malicious site may try to use the onunload and onbeforeunload page events to prevent a framed site from navigating to a different URL. Also JavaScript can be easily Disabled.
  12. 12. X-Frame-OptionBrowser vendors are now implementing declarativemethods such as X-Frame-Options3, first introduced byMicrosoft in Internet Explorer 8.Web browsers that support this security feature willprevent a web page being displayed in an iFrame if theX-Frame-Options header is set by the page.
  13. 13. Add X-Frame-Options on HTTP Response header Allows an application to specify whether or not specific pages of the site can be framed. Option 1: DENY HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “DENY”);  This option means the page can never be framed by any page, including a page with the same origin. Option 2: SAMEORIGIN HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “SAMEORIGIN”);  This option means the page can be framed, but only by another page with the same origin Option 3: Allow-From HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “Allow-From”);  This option means the page can be framed, but only by the specified origin.
  14. 14.  Important for Developers too add the X-Frame- Options Header Server Side as many users still use old browsers, leaving them at risk from ClickJacking. Namely IE6 and IE7 don’t know about this header.
  15. 15.  OWASP ZAP’s Active Scan Alerts the user to this issue if the X-Frame-Option header is missing . Also the Tester can capture the Response to verify Manually.
  16. 16. Twitter  Exploit: Force twitter users to post a messageFacebook  Exploit: Force users toAdvertising and Affiliate Networks  Force users to click on ads for $$$ CYBER CRIME CASH $$$Adobe Flash  Adjust the privacy settings to turn on the camera and microphone
  17. 17.  Attackers can trick victim browsers into clicking on things in victim websites by putting that website in a transparent iframe. We harden our sites through adding a new Response Header ‘X-Frame- Options’. Many users still use old browsers, leaving them at risk from ClickJacking. Also any client side validation with JavaScript is easily turned off.The good news ClickJacking is simple to prevent.The bad news The vulnerability is powerful and prevalent. Many web applications have ClickJacking vulnerabilities.