I haz your mouse clicks and key strokes
-
Upload
akash-mahajan -
Category
Technology
-
view
2.180 -
download
0
description
Transcript of I haz your mouse clicks and key strokes
I haz your mouse clicks & key strokes
Akash Mahajan @ MetaRefresh 2012
click · jack · ing |klɪk ˈdʒækɪŋ| verb
1. User Interface redress attack, UI redress attack, UI Redressing
2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
How to like anything on Facebook/Internet
Flash Settings Player : Because SWF files can be iframed!
Twitter Don’t Click
Attack
REAL
FAKE
FAKE
REAL
Mitigations
• Frame Bursting–Why it fails
• X Frames Header
Frame Bursting / Frame Killers
i f ( t o p . l o c a t i o n != l o c a t i o n )t o p . l o c a t i o n = s e l f . l o c a t i o n ;
Best JavaScript code for Frame Bursting
<s t y l e >html f v i s i b i l i t y : h i d d e n g</ s t y l e ><s c r i p t >i f ( s e l f == t o p ) fdocument . documentElement . s t y l e . v i s i b i l i t y =’ v i s i b l e ’ ;g e l s e ft o p . l o c a t i o n = s e l f . l o c a t i o n ;g</ s c r i p t >
X-Frame-Options
• Used to prevent Clickjacking
• Doesn’t allow page to be rendered in a frame
• DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin
• IE8+, FF4+, Chrome5+
Akash MahajanThat Web Application Security Guy
http://akashm.com | @makash [email protected] | 9980527182
References• Keyboard Cat CC NC SA
http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/• I haz your mouse clicks and key strokes http://cheezburger.com/6135914240• Just One question http://www.quickmeme.com/meme/3ow548/• Slides 6 and 7 from https://
www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for-shells_PDF-version.pdf
• http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf• (NoScript image source: Andrew Mason's Flickr photostream).• http://erickerr.com/like-clickjacking• http://arnab.org/blog/reputation-misrepresentation• http://erickerr.com/misc/like-clickjacking.js• http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/• http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html