Dailydave mailing list archives
"ClickJacking"
From: Dave Aitel <dave () immunityinc com>
Date: Thu, 25 Sep 2008 10:27:15 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I went to the ClickJacking 20-Questions session yesterday at OWASP: Essentially if your web page is in the same frame as another page you can slide them under your buttons/URLS using DHTML such that when the user is clicking on your link, they instead really are clicking on some random place on a web page of your choice. This process is essentially invisible to the end user. The difficult thing is finding out what to do with this (i.e. you have to look at gmail's interface and see if you can get them to do anything with just clicks - like set up a filter using CSRF first, then click "OK" to get all the user's email!) So that's what it is. Seems real enough to me, although the name is gag-worthy. Rsnake says to "Use Lynx." One typical attack for a process that required lots of buttons to be clicked would be a flash game where people clicked a lot to shoot or something. Or perhaps a "hot or not". You don't need Javascript to do this so noscript isn't going to help you (but it does make life easier). Not sure if HTML Email clients are vuln, but they might be. Anyways, I'm giving a talk today at 4pm on "Corruption". If for whatever reason you don't want to see the talk (which includes a picture of a giraffe), there's another good talk going on at the same time slot by Chris Eng on how to crack custom crypto in session keys of web apps. Chris Eng and Kevin Dunn (now both at Veracode) are the best people I've ever seen at this sort of wacky stuff, so it's worth a viewing! - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI25/CtehAhL0gheoRAlX1AJwM06TmrX5uahrlq1LdtF/3PdpPkgCeLJDy E2+MLsoKkH+E6DGVk+UGEWI= =TdBI -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- "ClickJacking" Dave Aitel (Sep 25)
- Re: "ClickJacking" Michal Zalewski (Sep 25)
- Re: "ClickJacking" The Dark Tangent (Sep 29)
- Re: "ClickJacking" Michal Zalewski (Sep 25)