Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

I haz your mouse clicks and key strokes

2,828 views

Published on

This technically light talk+demo will show you how and what are User Interface Redressing Attacks.

Web Applications using HTML5 + JavaScript + CSS + Modern Browsers are vulnerable to attacks such as Clickjacking, Strokejacking, Cursor Tracking, Unxploitable XSS and Facebook Like attacks.

TL;DR Cool demo and simple to understand explaination of ClickJacking

Published in: Technology, Business
  • Be the first to comment

I haz your mouse clicks and key strokes

  1. 1. I haz your mouse clicks & key strokesAkash Mahajan @ MetaRefresh 2012
  2. 2. click · jack · ing |klɪk ˈdʒækɪŋ|verb1. User Interface redress attack, UI redress attack, UI Redressing2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
  3. 3. How to like anything on Facebook/Internet
  4. 4. Flash Settings Player : BecauseSWF files can be iframed!
  5. 5. Twitter Don’t ClickAttack
  6. 6. FAKE REALREAL FAKE
  7. 7. Mitigations• Frame Bursting –Why it fails• X Frames Header
  8. 8. Frame Bursting / Frame Killers i f ( t o p . l o c a t i o n != l o c a t i o n )top.location=self.location;
  9. 9. Best JavaScript code for Frame Bursting<s t y l e >html f v i s i b i l i t y : h i d d e n g</ s t y l e ><s c r i p t >i f ( s e l f == t o p ) fdocument . documentElement . s t y l e . v i s i b i l i t y =’visible’;gelseftop.location=self.location;g</ s c r i p t >
  10. 10. X-Frame-Options• Used to prevent Clickjacking• Doesn’t allow page to be rendered in a frame• DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin• IE8+, FF4+, Chrome5+
  11. 11. Akash Mahajan That Web Application Security Guy http://akashm.com | @makashakashmahajan@gmail.com | 9980527182
  12. 12. References• Keyboard Cat CC NC SA http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/• I haz your mouse clicks and key strokes http://cheezburger.com/6135914240• Just One question http://www.quickmeme.com/meme/3ow548/• Slides 6 and 7 from https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for- shells_PDF-version.pdf• http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf• (NoScript image source: Andrew Masons Flickr photostream).• http://erickerr.com/like-clickjacking• http://arnab.org/blog/reputation-misrepresentation• http://erickerr.com/misc/like-clickjacking.js• http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/• http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html

×