SlideShare a Scribd company logo

I haz your mouse clicks and key strokes

Download as PPTX, PDF
Akash Mahajan
Akash Mahajan

This technically light talk+demo will show you how and what are User Interface Redressing Attacks. Web Applications using HTML5 + JavaScript + CSS + Modern Browsers are vulnerable to attacks such as Clickjacking, Strokejacking, Cursor Tracking, Unxploitable XSS and Facebook Like attacks. TL;DR Cool demo and simple to understand explaination of ClickJacking

TechnologyBusiness
1 of 17
I haz your mouse clicks & key strokes Akash Mahajan @ MetaRefresh 2012
click · jack · ing |klɪk ˈdʒækɪŋ| verb 1. User Interface redress attack, UI redress attack, UI Redressing 2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
How to like anything on Facebook/Internet
Flash Settings Player : Because SWF files can be iframed!
Twitter Don’t Click Attack
FAKE REAL REAL FAKE
Mitigations • Frame Bursting –Why it fails • X Frames Header
Frame Bursting / Frame Killers i f ( t o p . l o c a t i o n != l o c a t i o n ) top.location=self.location;
Best JavaScript code for Frame Bursting <s t y l e >html f v i s i b i l i t y : h i d d e n g</ s t y l e > <s c r i p t > i f ( s e l f == t o p ) f document . documentElement . s t y l e . v i s i b i l i t y = ’visible’; gelsef top.location=self.location; g </ s c r i p t >
X-Frame-Options • Used to prevent Clickjacking • Doesn’t allow page to be rendered in a frame • DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin • IE8+, FF4+, Chrome5+
Akash Mahajan That Web Application Security Guy http://akashm.com | @makash akashmahajan@gmail.com | 9980527182
References • Keyboard Cat CC NC SA http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/ • I haz your mouse clicks and key strokes http://cheezburger.com/6135914240 • Just One question http://www.quickmeme.com/meme/3ow548/ • Slides 6 and 7 from https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for- shells_PDF-version.pdf • http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf • (NoScript image source: Andrew Mason's Flickr photostream). • http://erickerr.com/like-clickjacking • http://arnab.org/blog/reputation-misrepresentation • http://erickerr.com/misc/like-clickjacking.js • http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/ • http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html

Recommended

Meryliza muabbad how_to_use-jing
Meryliza muabbad how_to_use-jingMeryliza muabbad how_to_use-jing
Meryliza muabbad how_to_use-jing
Meryliza Muabbad
 
Co hs sub instructions
Co hs sub instructionsCo hs sub instructions
Co hs sub instructions
stevens009
 
Selfhelp Online class Google Hangouts Capture App (blue camera)
Selfhelp Online class Google Hangouts Capture App (blue camera)Selfhelp Online class Google Hangouts Capture App (blue camera)
Selfhelp Online class Google Hangouts Capture App (blue camera)
SnowSugar Video
 
Ernesto samonte how to use spybot-s&d
Ernesto samonte how to use spybot-s&dErnesto samonte how to use spybot-s&d
Ernesto samonte how to use spybot-s&d
Ernesto Samonte
 
Topic 12 internet security
Topic 12 internet securityTopic 12 internet security
Topic 12 internet security
NFifa
 
An analysis of a facebook spam exploited through browser addons
An analysis of a facebook spam exploited through browser addonsAn analysis of a facebook spam exploited through browser addons
An analysis of a facebook spam exploited through browser addons
Prajwal Panchmahalkar
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
Akash Mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
Akash Mahajan
 

Recommended

Meryliza muabbad how_to_use-jing
Meryliza muabbad how_to_use-jingMeryliza muabbad how_to_use-jing
Meryliza muabbad how_to_use-jing
Meryliza Muabbad
 
Co hs sub instructions
Co hs sub instructionsCo hs sub instructions
Co hs sub instructions
stevens009
 
Selfhelp Online class Google Hangouts Capture App (blue camera)
Selfhelp Online class Google Hangouts Capture App (blue camera)Selfhelp Online class Google Hangouts Capture App (blue camera)
Selfhelp Online class Google Hangouts Capture App (blue camera)
SnowSugar Video
 
Ernesto samonte how to use spybot-s&d
Ernesto samonte how to use spybot-s&dErnesto samonte how to use spybot-s&d
Ernesto samonte how to use spybot-s&d
Ernesto Samonte
 
Topic 12 internet security
Topic 12 internet securityTopic 12 internet security
Topic 12 internet security
NFifa
 
An analysis of a facebook spam exploited through browser addons
An analysis of a facebook spam exploited through browser addonsAn analysis of a facebook spam exploited through browser addons
An analysis of a facebook spam exploited through browser addons
Prajwal Panchmahalkar
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
Akash Mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
Akash Mahajan
 
Algae Renewable Energy Carbon Credit First Timer
Algae Renewable Energy Carbon Credit First TimerAlgae Renewable Energy Carbon Credit First Timer
Algae Renewable Energy Carbon Credit First Timer
70CentsaGallon
 
Tibet blog.agirregabiria.net Mikel Agirregabiria
Tibet blog.agirregabiria.net Mikel AgirregabiriaTibet blog.agirregabiria.net Mikel Agirregabiria
Tibet blog.agirregabiria.net Mikel Agirregabiria
Mikel Agirregabiria
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
Akash Mahajan
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
Akash Mahajan
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
20 Hailu Tefera Objective7 Soybean
20 Hailu Tefera Objective7 Soybean20 Hailu Tefera Objective7 Soybean
20 Hailu Tefera Objective7 Soybean
World Agroforestry (ICRAF)
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
My 'Technopreneurship' presentation @ SCIT Pune!!!
My 'Technopreneurship' presentation @ SCIT Pune!!!My 'Technopreneurship' presentation @ SCIT Pune!!!
My 'Technopreneurship' presentation @ SCIT Pune!!!
Akshay Shah
 
Php security
Php securityPhp security
Php security
Akash Mahajan
 
inhertance c++
inhertance c++inhertance c++
inhertance c++
abhilashagupta
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 
UI Redressing
UI RedressingUI Redressing
UI Redressing
n|u - The Open Security Community
 
Clickjacking
ClickjackingClickjacking
Clickjacking
Rishi Kant
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
 

More Related Content

Viewers also liked

Algae Renewable Energy Carbon Credit First Timer
Algae Renewable Energy Carbon Credit First TimerAlgae Renewable Energy Carbon Credit First Timer
Algae Renewable Energy Carbon Credit First Timer
70CentsaGallon
 
Tibet blog.agirregabiria.net Mikel Agirregabiria
Tibet blog.agirregabiria.net Mikel AgirregabiriaTibet blog.agirregabiria.net Mikel Agirregabiria
Tibet blog.agirregabiria.net Mikel Agirregabiria
Mikel Agirregabiria
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Akash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
Akash Mahajan
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
Akash Mahajan
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
20 Hailu Tefera Objective7 Soybean
20 Hailu Tefera Objective7 Soybean20 Hailu Tefera Objective7 Soybean
20 Hailu Tefera Objective7 Soybean
World Agroforestry (ICRAF)
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
Akash Mahajan
 
Web application security
Web application securityWeb application security
Web application security
Akash Mahajan
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
Akash Mahajan
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
My 'Technopreneurship' presentation @ SCIT Pune!!!
My 'Technopreneurship' presentation @ SCIT Pune!!!My 'Technopreneurship' presentation @ SCIT Pune!!!
My 'Technopreneurship' presentation @ SCIT Pune!!!
Akshay Shah
 
Php security
Php securityPhp security
Php security
Akash Mahajan
 
inhertance c++
inhertance c++inhertance c++
inhertance c++
abhilashagupta
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
Akash Mahajan
 

Viewers also liked (17)

Algae Renewable Energy Carbon Credit First Timer
Algae Renewable Energy Carbon Credit First TimerAlgae Renewable Energy Carbon Credit First Timer
Algae Renewable Energy Carbon Credit First Timer
 
Tibet blog.agirregabiria.net Mikel Agirregabiria
Tibet blog.agirregabiria.net Mikel AgirregabiriaTibet blog.agirregabiria.net Mikel Agirregabiria
Tibet blog.agirregabiria.net Mikel Agirregabiria
 
Web application security
Web application securityWeb application security
Web application security
 
Web application security
Web application securityWeb application security
Web application security
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
20 Hailu Tefera Objective7 Soybean
20 Hailu Tefera Objective7 Soybean20 Hailu Tefera Objective7 Soybean
20 Hailu Tefera Objective7 Soybean
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
 
Web application security
Web application securityWeb application security
Web application security
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
My 'Technopreneurship' presentation @ SCIT Pune!!!
My 'Technopreneurship' presentation @ SCIT Pune!!!My 'Technopreneurship' presentation @ SCIT Pune!!!
My 'Technopreneurship' presentation @ SCIT Pune!!!
 
Php security
Php securityPhp security
Php security
 
inhertance c++
inhertance c++inhertance c++
inhertance c++
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 

Similar to I haz your mouse clicks and key strokes

UI Redressing
UI RedressingUI Redressing
UI Redressing
n|u - The Open Security Community
 
Clickjacking
ClickjackingClickjacking
Clickjacking
Rishi Kant
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
Krishna T
 
javascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-phpjavascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-php
Apoorvi Kapoor
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
Jeremiah Grossman
 
HalfStack fast but not furious
HalfStack fast but not furiousHalfStack fast but not furious
HalfStack fast but not furious
Anna Migas
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
Shawn Gorrell
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!
SecuRing
 
Rich Internet Applications (RIA) Web Testing
Rich Internet Applications (RIA) Web TestingRich Internet Applications (RIA) Web Testing
Rich Internet Applications (RIA) Web Testing
Mathias Roth
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
jessepollak
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
Mohammed A. Imran
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
Krzysztof Kotowicz
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moon
davejohnson
 
Unity3D Basic Concepts by: shamal aryan
Unity3D Basic Concepts by: shamal aryan Unity3D Basic Concepts by: shamal aryan
Unity3D Basic Concepts by: shamal aryan
Shamal Aryan
 
JavaScript and DOM Pattern Implementation
JavaScript and DOM Pattern ImplementationJavaScript and DOM Pattern Implementation
JavaScript and DOM Pattern Implementation
davejohnson
 
Itc2009 Click Jacking
Itc2009 Click JackingItc2009 Click Jacking
Itc2009 Click Jacking
JayMNEA
 

Similar to I haz your mouse clicks and key strokes (20)

UI Redressing
UI RedressingUI Redressing
UI Redressing
 
Clickjacking
ClickjackingClickjacking
Clickjacking
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
javascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-phpjavascript-gone-wild-withreferences-attributions-111003035611-php
javascript-gone-wild-withreferences-attributions-111003035611-php
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
HalfStack fast but not furious
HalfStack fast but not furiousHalfStack fast but not furious
HalfStack fast but not furious
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!What happens on your Mac, stays on Apple’s iCloud?!
What happens on your Mac, stays on Apple’s iCloud?!
 
Rich Internet Applications (RIA) Web Testing
Rich Internet Applications (RIA) Web TestingRich Internet Applications (RIA) Web Testing
Rich Internet Applications (RIA) Web Testing
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 
Click jacking
Click jackingClick jacking
Click jacking
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applications
 
Html5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPraHtml5: something wicked this way comes - HackPra
Html5: something wicked this way comes - HackPra
 
Ajax to the Moon
Ajax to the MoonAjax to the Moon
Ajax to the Moon
 
Unity3D Basic Concepts by: shamal aryan
Unity3D Basic Concepts by: shamal aryan Unity3D Basic Concepts by: shamal aryan
Unity3D Basic Concepts by: shamal aryan
 
JavaScript and DOM Pattern Implementation
JavaScript and DOM Pattern ImplementationJavaScript and DOM Pattern Implementation
JavaScript and DOM Pattern Implementation
 
Itc2009 Click Jacking
Itc2009 Click JackingItc2009 Click Jacking
Itc2009 Click Jacking
 

Recently uploaded

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 

Recently uploaded (20)

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 

I haz your mouse clicks and key strokes

  • 1. I haz your mouse clicks & key strokes Akash Mahajan @ MetaRefresh 2012
  • 2. click · jack · ing |klɪk ˈdʒækɪŋ| verb 1. User Interface redress attack, UI redress attack, UI Redressing 2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. How to like anything on Facebook/Internet
  • 9. Flash Settings Player : Because SWF files can be iframed!
  • 11. FAKE REAL REAL FAKE
  • 12. Mitigations • Frame Bursting –Why it fails • X Frames Header
  • 13. Frame Bursting / Frame Killers i f ( t o p . l o c a t i o n != l o c a t i o n ) top.location=self.location;
  • 14. Best JavaScript code for Frame Bursting <s t y l e >html f v i s i b i l i t y : h i d d e n g</ s t y l e > <s c r i p t > i f ( s e l f == t o p ) f document . documentElement . s t y l e . v i s i b i l i t y = ’visible’; gelsef top.location=self.location; g </ s c r i p t >
  • 15. X-Frame-Options • Used to prevent Clickjacking • Doesn’t allow page to be rendered in a frame • DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin • IE8+, FF4+, Chrome5+
  • 16. Akash Mahajan That Web Application Security Guy http://akashm.com | @makash akashmahajan@gmail.com | 9980527182
  • 17. References • Keyboard Cat CC NC SA http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/ • I haz your mouse clicks and key strokes http://cheezburger.com/6135914240 • Just One question http://www.quickmeme.com/meme/3ow548/ • Slides 6 and 7 from https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for- shells_PDF-version.pdf • http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf • (NoScript image source: Andrew Mason's Flickr photostream). • http://erickerr.com/like-clickjacking • http://arnab.org/blog/reputation-misrepresentation • http://erickerr.com/misc/like-clickjacking.js • http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/ • http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html

Editor's Notes

  1. OWASP DefinitionClickjacking, also known as a &quot;UI redress attack&quot;, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is &quot;hijacking&quot; clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attackerWikiPediaClickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Webuser into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.[1][2][3][4] It is a browser security issue that is a vulnerability across a variety of browsers and platforms, a clickjack takes the form of embedded code or a script that can execute without the user&apos;s knowledge, such as clicking on a button that appears to perform another function.[5] The term &quot;clickjacking&quot; was coined by Jeremiah Grossman and Robert Hansen in 2008.[citation needed]Clickjacking can be understood as an instance of the confused deputy problem.[6]
  2. Talk about CSS Z OrderHow cursor, keystrokes can be followed