I haz your mouse clicks and key strokes

I haz your mouse clicks and key strokes

This talk is not about key loggers and such!

This intentionally funny and technically light talk+demo will show you how and what are User Interface Redressing Attacks.

Web Applications using HTML5 + JavaScript + CSS + Modern Browsers are vulnerable to attacks such as Clickjacking, Strokejacking, Cursor Tracking, Unxploitable XSS and Facebook Like attacks.

TL;DR Cool demo and simple to understand explaination of ClickJacking


Akash Mahajan

April 22, 2012


  1. 2.

    click · jack · ing |klɪk ˈdʒækɪŋ| verb 1. User

    Interface redress attack, UI redress attack, UI Redressing 2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
  2. 3.
  3. 4.
  4. 5.
  5. 6.
  6. 7.
  7. 13.

    Frame Bursting / Frame Killers i f ( t o

    p . l o c a t i o n != l o c a t i o n ) t o p . l o c a t i o n = s e l f . l o c a t i o n ;
  8. 14.

    Best JavaScript code for Frame Bursting <s t y l

    e >html f v i s i b i l i t y : h i d d e n g</ s t y l e > <s c r i p t > i f ( s e l f == t o p ) f document . documentElement . s t y l e . v i s i b i l i t y = ’ v i s i b l e ’ ; g e l s e f t o p . l o c a t i o n = s e l f . l o c a t i o n ; g </ s c r i p t >
  9. 15.

    X-Frame-Options • Used to prevent Clickjacking • Doesn’t allow page

    to be rendered in a frame • DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin • IE8+, FF4+, Chrome5+
  10. 17.

    References • Keyboard Cat CC NC SA http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/ • I

    haz your mouse clicks and key strokes http://cheezburger.com/6135914240 • Just One question http://www.quickmeme.com/meme/3ow548/ • Slides 6 and 7 from https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for- shells_PDF-version.pdf • http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf • (NoScript image source: Andrew Mason's Flickr photostream). • http://erickerr.com/like-clickjacking • http://arnab.org/blog/reputation-misrepresentation • http://erickerr.com/misc/like-clickjacking.js • http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/ • http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html