Clickjacking
3 views
Skip to first unread message
Ian Duffy
Nov 8, 2008, 9:13:41 PM11/8/08
to digital-...@googlegroups.com
Found a great article on clickjacking, which is a kind of amorphous web hacking technique. The article is here: http://hackademix.net/2008/09/27/clickjacking-and-noscript/
Basically the gist of clickjacking is that it is like an XSRF attack combined with some javascript trickery. Say for example you are targeting a victim whom you know banks at XYZ bank online. Say you also know that XYZ bank's website lets users persist their sessions, so that you can reasonably assume that if you can get the victim to visit a page you control, their browser might already be "pre-authenticated" to that bank. Say also you know that a specially formatted URL at XYZ, for example http://www.xyzbank.com/transferfunds?targetaccount=<acct number>, will cause funds to be transferred.
The problem is that users these days are getting more wary of clicking on any link on web pages that they visit. Here is where clickjacking comes in: using javascript you place an "invisible button" underneath the user's mouse cursor. This invisible button is always underneat the mouse cursor and thus will register an onClick event no matter where the user clicks on the page. You can make the action of this button open your malicious XSRF funds transfer URL and the user will never know that they (via their already logged-in web brower and it's stored cookies) just transferred funds to your account.
From the article:
"Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. […]
Say you have a home wireless router that you had authenticated prior to going to a [malicious] web site. [The web site] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules."
Good stuff. As I said before, buffer overflows are to the last 10 years as web application hacks are to the next 10 years.
--Ian
Basically the gist of clickjacking is that it is like an XSRF attack combined with some javascript trickery. Say for example you are targeting a victim whom you know banks at XYZ bank online. Say you also know that XYZ bank's website lets users persist their sessions, so that you can reasonably assume that if you can get the victim to visit a page you control, their browser might already be "pre-authenticated" to that bank. Say also you know that a specially formatted URL at XYZ, for example http://www.xyzbank.com/transferfunds?targetaccount=<acct number>, will cause funds to be transferred.
The problem is that users these days are getting more wary of clicking on any link on web pages that they visit. Here is where clickjacking comes in: using javascript you place an "invisible button" underneath the user's mouse cursor. This invisible button is always underneat the mouse cursor and thus will register an onClick event no matter where the user clicks on the page. You can make the action of this button open your malicious XSRF funds transfer URL and the user will never know that they (via their already logged-in web brower and it's stored cookies) just transferred funds to your account.
From the article:
"Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. […]
Say you have a home wireless router that you had authenticated prior to going to a [malicious] web site. [The web site] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules."
Good stuff. As I said before, buffer overflows are to the last 10 years as web application hacks are to the next 10 years.
--Ian
Reply all
Reply to author
Forward
0 new messages