Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

I haz your mouse clicks and key strokes


Published on

This technically light talk+demo will show you how and what are User Interface Redressing Attacks.

Web Applications using HTML5 + JavaScript + CSS + Modern Browsers are vulnerable to attacks such as Clickjacking, Strokejacking, Cursor Tracking, Unxploitable XSS and Facebook Like attacks.

TL;DR Cool demo and simple to understand explaination of ClickJacking

Published in: Technology, Business
  • Be the first to comment

I haz your mouse clicks and key strokes

  1. 1. I haz your mouse clicks & key strokesAkash Mahajan @ MetaRefresh 2012
  2. 2. click · jack · ing |klɪk ˈdʒækɪŋ|verb1. User Interface redress attack, UI redress attack, UI Redressing2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
  3. 3. How to like anything on Facebook/Internet
  4. 4. Flash Settings Player : BecauseSWF files can be iframed!
  5. 5. Twitter Don’t ClickAttack
  7. 7. Mitigations• Frame Bursting –Why it fails• X Frames Header
  8. 8. Frame Bursting / Frame Killers i f ( t o p . l o c a t i o n != l o c a t i o n )top.location=self.location;
  9. 9. Best JavaScript code for Frame Bursting<s t y l e >html f v i s i b i l i t y : h i d d e n g</ s t y l e ><s c r i p t >i f ( s e l f == t o p ) fdocument . documentElement . s t y l e . v i s i b i l i t y =’visible’;gelseftop.location=self.location;g</ s c r i p t >
  10. 10. X-Frame-Options• Used to prevent Clickjacking• Doesn’t allow page to be rendered in a frame• DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin• IE8+, FF4+, Chrome5+
  11. 11. Akash Mahajan That Web Application Security Guy | | 9980527182
  12. 12. References• Keyboard Cat CC NC SA• I haz your mouse clicks and key strokes• Just One question• Slides 6 and 7 from shells_PDF-version.pdf•• (NoScript image source: Andrew Masons Flickr photostream).•••••