Introduction Attack vectors Counteractive measures Conclusion and outlook
UI Redressing and Clickjacking: About click fraud and data theft
Marcus Niemietz [email protected]
Ruhr-University Bochum Chair for Network and Data Security
25th of November 2011
Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking Introduction Attack vectors Counteractive measures Conclusion and outlook Short and crisp details about me
Studying “IT-Security/Information Technology”, RUB “Computer Science”, Distance University Hagen B.Sc. in “IT-Security/Information Technology” Books Authentication Web Pages with Selenium ≥Feb. 2012: Clickjacking und UI-Redressing International speaker Work: RUB, Pixelboxx, ISP and IT-Security, Freelancer (trainings, penetration tests) Twitter: @mniemietz
Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking Introduction Attack vectors Counteractive measures Conclusion and outlook Contents
1 Introduction UI redressing Clickjacking
2 Attack vectors UI redressing Round up Clickjacking Tool
3 Counteractive measures Frame busting Busting frame busting Clickjacking statistics
4 Conclusion and outlook
Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook Introduction
Google Inc. can generate a profit of over $8.5 billion in 2010 Interesting for commercial companies to offer web applications shopping banking share status messages New attacks available that can bypass existing protection mechanisms CSRF token via Clickjacking
Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook Introduction
Oh no! Why Clickjacking, why again? Because there is more in it!
Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook UI redressing
Adjust the look and/or behavior of a web page
UI redressing Clickjacking Strokejacking Text injection by drag-and-drop Content extraction Pop-up blocker bypass SVG masking
Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook Clickjacking
A known issue since 2002 Officially introduced by Hansen & Grossman in 2008
Clickjacking ⊂ UI redressing Cursorjacking Filejacking, Cookiejacking Likejacking, Sharejacking Eventjacking, Classjacking Tapjacking, Tabnapping Adobe Flash Player attacks Combinations with CSRF, XSS, CSS
Clickjacking ⇔ Classic clickjacking 6= UI redressing
Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Attack vectors
Classic clickjacking Advanced attacks Clickjacking and XSS Clickjacking and CSS Strokejacking Text injection by drag-and-drop Content extraction Cursorjacking SVG masking What an attacker can do Clickjacking tool
Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking
Practical example Clickjacking on the google.com “Sign out” link Three files required
inner.html
1
Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking
Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking
clickjacking.html
1 2
Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking
trustedPage.html
1