It is said that a single picture is worth thousand words. Similarly going through the demonstration of click jacking before actually explaining it, would be interesting. This simple demonstration(created by Tyler John Weiss ) will give you a feel of what this is about.
demo1
1. Stealing personal data, bank account information, credit card information and others.
2. Download and install applications without the user's knowledge. These can be viruses, spy-ware or ad-ware.
3. Force the unsuspecting user to click on Ads and Opinion polls.
Few months back Click Jacking was not considered a big threat, but you never know what is in store for the future as we are seeing more of these attacks. "Click Jacking" is also used as a vector for CSRF (Cross Site Request Forgery)
Advice for Internet Users
1. Do not click/follow links in forums/blogs/email/websites unless you are sure of what you are doing.
2. Consider using NoScript addon for Firefox.
3. Disabling iFrames if possible.
4. Install a user-scripting plugin and use scripts like
var all = document.getElementsByTagName('iframe'), l = all.length;
while (l--) all[l].parentNode.removeChild(all[l]);
Technical Analysis
Clickjacking attacks use malicious iFrames inserted into a Web page to trick and hijack a user's actions. The server side solutions include
1. Frame busting code. A good paper on the is available at http://seclab.stanford.edu/websec/framebusting/framebust.pdf
2. Using the new X-Frame-Options found in Microsoft's IE 8 and in the latest versions of most browsers.
demo1
demo2 EricLaw's IEInternals Blog also has some nice Demos: Check them clickhere nowClickhere (use IE)
The explanation is simple; you have two web pages, one over the other. The top page is invisible and the bottom one is visible. When you click on a button on bottom page(visible) you may actually click on a control on top page(invisible) which is the unintended action. So what are the dangers posed by click jacking ?1. Stealing personal data, bank account information, credit card information and others.
2. Download and install applications without the user's knowledge. These can be viruses, spy-ware or ad-ware.
3. Force the unsuspecting user to click on Ads and Opinion polls.
Few months back Click Jacking was not considered a big threat, but you never know what is in store for the future as we are seeing more of these attacks. "Click Jacking" is also used as a vector for CSRF (Cross Site Request Forgery)
Latest Incidents
You catch the latest FACEBOOK attack using Click jacking on http://www.tgdaily.com/security-features/51156-another-click-jacking-scam-hits-facebookAdvice for Internet Users
1. Do not click/follow links in forums/blogs/email/websites unless you are sure of what you are doing.
2. Consider using NoScript addon for Firefox.
3. Disabling iFrames if possible.
4. Install a user-scripting plugin and use scripts like
var all = document.getElementsByTagName('iframe'), l = all.length;
while (l--) all[l].parentNode.removeChild(all[l]);
Technical Analysis
Clickjacking attacks use malicious iFrames inserted into a Web page to trick and hijack a user's actions. The server side solutions include
1. Frame busting code. A good paper on the is available at http://seclab.stanford.edu/websec/framebusting/framebust.pdf
2. Using the new X-Frame-Options found in Microsoft's IE 8 and in the latest versions of most browsers.
No comments:
Post a Comment