Slide 1

Slide 1 text

I haz your mouse clicks & key strokes Akash Mahajan @ MetaRefresh 2012

Slide 2

Slide 2 text

click · jack · ing |klɪk ˈdʒækɪŋ| verb 1. User Interface redress attack, UI redress attack, UI Redressing 2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

How to like anything on Facebook/Internet

Slide 9

Slide 9 text

Flash Settings Player : Because SWF files can be iframed!

Slide 10

Slide 10 text

Twitter Don’t Click Attack

Slide 11

Slide 11 text

REAL FAKE FAKE REAL

Slide 12

Slide 12 text

Mitigations • Frame Bursting –Why it fails • X Frames Header

Slide 13

Slide 13 text

Frame Bursting / Frame Killers i f ( t o p . l o c a t i o n != l o c a t i o n ) t o p . l o c a t i o n = s e l f . l o c a t i o n ;

Slide 14

Slide 14 text

Best JavaScript code for Frame Bursting html f v i s i b i l i t y : h i d d e n g s t y l e > i f ( s e l f == t o p ) f document . documentElement . s t y l e . v i s i b i l i t y = ’ v i s i b l e ’ ; g e l s e f t o p . l o c a t i o n = s e l f . l o c a t i o n ; g s c r i p t >

Slide 15

Slide 15 text

X-Frame-Options • Used to prevent Clickjacking • Doesn’t allow page to be rendered in a frame • DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin • IE8+, FF4+, Chrome5+

Slide 16

Slide 16 text

Akash Mahajan That Web Application Security Guy http://akashm.com | @makash [email protected] | 9980527182

Slide 17

Slide 17 text

References • Keyboard Cat CC NC SA http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/ • I haz your mouse clicks and key strokes http://cheezburger.com/6135914240 • Just One question http://www.quickmeme.com/meme/3ow548/ • Slides 6 and 7 from https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for- shells_PDF-version.pdf • http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf • (NoScript image source: Andrew Mason's Flickr photostream). • http://erickerr.com/like-clickjacking • http://arnab.org/blog/reputation-misrepresentation • http://erickerr.com/misc/like-clickjacking.js • http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/ • http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html