Click jacking


Published on

This slide presents information about ClickJacking and existing defense mechanism.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Click jacking

  2. 2. REFERENCE CLICKJACKING : A WEB PAGE CAN HEAR and SEE YOU  Article  Publishing Year 2014/15 Clickjacking: Attacks and Defenses  Presented as part of the 21st USENIX Security Symposium (USENIX Security 12)  Publishing Year 2012
  3. 3. OVERVIEW Root cause of clickjacking is identified New variants of ClickJacking attack Drawbacks of existing defense Proposing a new defense mechanism A survey on Amazon Mechanical Turk with 2064 participants
  4. 4. WHAT IS CLICKJACKING? •User click is hijacked in order to perform some action of hacker's interest •Known as "UI redress attack“ •Attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page
  5. 5. CLICK EVENT • Pressing a button • Moving your mouse over a link • Submitting a form
  6. 6. IFRAME A webpage can contain another webpage in it. Example : Google map
  7. 7. OPACITY HTML elements can be solid, partially transparent or even invisible.
  8. 8. STACKING ORDER A webpage can contain another webpage in it. Example : Google map
  9. 9. HOW DOES IT OCCUR? •The target page is constructed to lure the victim to click on an object. •The click action is made to land on some other object and hence used to perform an action that the victim did not intended. This is the root cause.
  10. 10. HOW DOES IT OCCUR? Frame busting to thwart Cross Frame Scripting attack code snippet: <script type="text/JavaScript"> if(top != self) top.location.replace(location); </script> Page could be framed. Parent frame control the entire display shown to the user which tricks user to click hidden child frame
  11. 11. THREAT TO USER •Tricking users into enabling their webcam and microphone through Flash •Tricking users into making their social networking profile information public Downloading and running a malware (malicious software) allowing to a remote attacker to take control of others computers Making users follow someone on Twitter •Sharing or liking links on Facebook •Getting likes on Facebook fan page or +1 on Google Plus •Clicking Google AdSense ads to generate pay per click revenue •Playing YouTube videos to gain views •Following someone on Facebook
  12. 12. SCENARIO
  13. 13. STEPS TAKEN SO FAR… X-Frame-Options gave three options: X-Frame- Options: DENY X-Frame- Options: SAMEORIGIN X-Frame- Options: ALLOW-FROM Drawback of XFO SAMEORIGIIN
  14. 14. CLASSIFICATION Compromising target display integrity  Hiding the target element  Likejacking  Tweet bomb  Partial overlays Compromising pointer integrity  Cursorjacking  Stroke jacking Compromising temporal integrity  Bait and switch
  15. 15. COMPROMISING TARGET DISPLAY INTEGRITY Attacker creates an illusion for the victim Irritating for legitimate object over a target object Victim gets confused and clicks on the object Actual click lands media site to gain specific information on the target
  16. 16. COMPROMISING TARGET DISPLAY INTEGRITY Exploit process for Facebook
  17. 17. COMPROMISING TARGET DISPLAY INTEGRITY LikeJacking • Attacker presents a web frame that contains two iframe stacked over one another • Lower frame designed with a Facebook “Like” button • Upper frame shows some attractive content
  18. 18. COMPROMISING TARGET DISPLAY INTEGRITY Tweet Bomb • Mulltiple dummy accounts • Sending large number of tweets in a short interval • Become the trending topic in tweeter
  19. 19. COMPROMISING POINTER INTEGRITY •Attacker displays blinking cursor in a text field •Victim clicks in the text field and his click is hijacked • Attacker displays a fake cursor icon • Victim gets confused and then misinterprets the cursor
  20. 20. COMPROMISING POINTER INTEGRITY Cursorjacking • Attacker display a false cursor which is away from the actual one • Wrong perception of the actual position of the cursor • Custom mouse cursor icon which is shifted a few pixels away from the actual spot examples/cursorjacking/
  21. 21. COMPROMISING POINTER INTEGRITY Strokejacking •Blinking cursor which asks for a keyboard input •Attacker switch keyboard focus to the target element •Blinking cursor confuses victims into thinking that they are typing text into the attacker’s input field, whereas they are actually interacting with the target element.
  22. 22. COMPROMISING TEMPORAL INTEGRITY Bait and switch • Mouse comes near “claim your free iPad” button, like moves to its location before the user realizes it.
  23. 23. COMPROMISING TEMPORAL INTEGRITY •Attacker captures the mouse hovering event •When the click is just about to launch , attacker swaps the position of the target element and the decoy element •To increase the probability of success attacker may ask the victim to click multiple times or double click
  24. 24. CLICKJACKING THROUGH ONLINE GAMING • Dummy web page that contains an online game • Attacker places the play button below the transparent facebook Like button
  25. 25. NEW ATTACK VARIANTS •Attack Technique: Cursor spoofing •Attack Success: 43% •Fake cursor is displayed to the user •Loud video or audio automatically plays
  26. 26. NEW ATTACK VARIANTS •Attack Technique: Popup Window •Attack Success: 47% •Attacker lure the victim to perform double click •After first click Google OAauth pops up and attacker steals the private data
  27. 27. NEW ATTACK VARIANTS •Attack Technique: Cursor Spoofing + Fast-paced Clicking •Attack Success: 98% •Known as Whack a mole attack •User needs to click on an object to get the reward •Suddenly Object is replaced by facebook Like button
  29. 29. EXISTING DEFENSE Frame Killer User Confirmation UI Randomization Opaque Overlay Policy Frame Busting Visibility detection on click •Clear Click •Click IDS UI Delays
  30. 30. INCONTEXT DEFENSE Goal: •Does not require user prompts •Provides point integrity protection •Supports target elements that require arbitrary third-party embedding •Does not break existing sites
  31. 31. INCONTEXT DEFENSE Ensuring Visual Integrity •Find the Sensitive Element •compares the cropped screenshot with the reference bitmap •ClickJacking detects when mismatch found
  32. 32. INCONTEXT DEFENSE Ensuring visual integrity of pointer • Remove cursor customization - Attack success: 43% -> 16%
  33. 33. INCONTEXT DEFENSE Ensuring visual integrity of pointer • Freeze screen when sensitive elements found - Attack success : 4%
  34. 34. • Mute the speaker when sensitive elements interacts - Attack success: 43% - Attack success (Mute + Freeezing): 2% INCONTEXT DEFENSE Ensuring visual integrity of pointer
  35. 35. INCONTEXT DEFENSE Ensuring visual integrity of pointer • Lightbox effect around pop up dialog - Attack success: 43% - Attack success ( Lightbox + Freezing + Mute): 2% • No programmatic cross-origin keyboard focus changes
  36. 36. INCONTEXT DEFENSE Ensuring Temporal Integrity •UI delay after pointer entry •Point re-entry on a newly visible sensitive element • When a sensitive UI element first appears or is moved to a location where it will overlap with the current location of the pointer, user needs to re-entry •Padding area around sensitive element
  37. 37. EXPERIMENT RESULT Results of double-click attack
  38. 38. EXPERIMENT RESULT 1. Base control 68 26 35 3 4 (5%) 2. Persuasion control 73 65 0 2 6 (8%) 3. Attack 72 38 0 3 31 (43%) 4. No cursor styles 72 34 23 3 12 (16%) 5a. Freezing (M=0px) 70 52 0 7 11 (15%) 5b. Freezing (M=10px) 72 60 0 3 9 (12%) 5c. Freezing (M=20px) 72 63 0 6 3 (4%) 6. Muting + 5c 70 66 0 2 2 (2%) 7. Lightbox + 5c 71 66 0 3 2 (2%) 8. Lightbox + 6 71 60 0 8 3 (4%) Treatment Group Total Timeout Skip Quit Attack Success Results of the cursor-spoofing attack
  39. 39. CONCLUSION •This paper introduce a new mechanism to prevent clickjacking •From the survey, the effectiveness of the InContext defense mechanishm is showed •New Variants of attacks are raising •Need to detect other techniques of clickjacking and find a way to thwart those
  40. 40. Thank You :D