SlideShare a Scribd company logo

Click jacking

Ronan Dunne, CEH, SSCP
Ronan Dunne, CEH, SSCP

http://dunne3.wordpress.com/

Technology
1 of 26
 What is ClickJacking?  Demo  How Users can be Affected  Similarities with another Attack  How to protect Web Application  How to Identify Exploitable Web Application  How to test Applications  Previous ClickJacking Attacks  Summary
 Discovered in 2008-Robert Hansen, Jeremiah Grossman as a way to perform cross-domain attacks by ‘hijacking 'user- initiated mouse clicks to perform actions that the user did not intend.  Attacker will choose a clickable region on a website that the user is currently authenticated on (e.g. a ‘Submit’ button that will perform a particular action).  To perform the attack, a malicious website will load a page from the website inside an iFrame made fully transparent and layered on top of another element on the site.
 Previously Stated: ClickJacking is one of the more under rated attacks facing modern Web applications.  This is one reason it doesn’t find a mention in the OWASP Top 10 list so far but it is predicted to feature in the next version.
A web page can embed another web page via iframe <iframe src="http://bing.com"></iframe> CSS opacity attribute: 1 = visible, 0 = invisible
 Putting an evil invisible link on top of a legit visible link,
 http://playground.nebulassolutions.com/framer.html  http://playground.nebulassolutions.com/index.php?p age=framing.php
 Opacity iFrame invisible
 Opacity set too 0
 Users can be tricked into clicking on obscured user interface elements of an application and in so doing initiate actions against their will, Such as;  Adding an attacker to a victim’s social graph  Promoting the attacker’s content on a social network  Sending a payment to the attacker  Compromising the user’s session to impersonate the victim user on the application  Tricking the user into submitting sensitive credential information  Performing a privileged action on behalf of the user (Create or Delete accounts, etc..)
 Both want to trick the victim into requesting something that the attacker wants.  But ClickJacking allows them to CSRF a page that actually requires a manual click.  ClickJacking allows an attacker to bypass CSRF protections put in place by a website.  The user is tricked into submitting a form directly from the website itself, so there is no need for the attacker to know hidden or secret values in the form, such as CSRF tokens.
Frame Busting  A page using this method will detect that is has been framed by another web site, and attempt to load itself in place of the site that is framing it (thus ‘busting out’ of the frame). Common Frame Busting Code <script type="text/javascript"> if (top != self) { //condition top.location = self.location; //counter action } </script>  However, a malicious site may try to use the onunload and onbeforeunload page events to prevent a framed site from navigating to a different URL.  Also JavaScript can be easily Disabled.
X-Frame-Option Browser vendors are now implementing declarative methods such as X-Frame-Options3, first introduced by Microsoft in Internet Explorer 8. Web browsers that support this security feature will prevent a web page being displayed in an iFrame if the X-Frame-Options header is set by the page.
Add X-Frame-Options on HTTP Response header  Allows an application to specify whether or not specific pages of the site can be framed.  Option 1: DENY HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “DENY”);  This option means the page can never be framed by any page, including a page with the same origin.  Option 2: SAMEORIGIN HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “SAMEORIGIN”);  This option means the page can be framed, but only by another page with the same origin  Option 3: Allow-From HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “Allow-From https://some.othersite.com”);  This option means the page can be framed, but only by the specified origin.
 Important for Developers too add the X-Frame- Options Header Server Side as many users still use old browsers, leaving them at risk from ClickJacking.  Namely IE6 and IE7 don’t know about this header.
 OWASP ZAP’s 1.4.0.1 Active Scan Alerts the user to this issue if the X-Frame-Option header is missing .  Also the Tester can capture the Response to verify Manually.
Twitter  Exploit: Force twitter users to post a message Facebook  Exploit: Force users to Advertising and Affiliate Networks  Force users to click on ads for $$$ CYBER CRIME CASH $$$ Adobe Flash  Adjust the privacy settings to turn on the camera and microphone
 Attackers can trick victim browsers into clicking on things in victim websites by putting that website in a transparent iframe.  We harden our sites through adding a new Response Header ‘X-Frame- Options’.  Many users still use old browsers, leaving them at risk from ClickJacking.  Also any client side validation with JavaScript is easily turned off. The good news  ClickJacking is simple to prevent. The bad news  The vulnerability is powerful and prevalent.  Many web applications have ClickJacking vulnerabilities.
Click jacking

Recommended

Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking ppt
Harsh Kevadia
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
Nabin Dutta
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 

Recommended

Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Session Hijacking ppt
Session Hijacking pptSession Hijacking ppt
Session Hijacking ppt
Harsh Kevadia
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Cross Site Scripting(XSS)
Cross Site Scripting(XSS)
Nabin Dutta
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Barrel Software
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
Null Bhubaneswar
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
KuldeepPandya5
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
kinish kumar
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
n|u - The Open Security Community
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 
Xss ppt
Xss pptXss ppt
Xss ppt
penetration Tester
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Cache poisoning
Cache poisoningCache poisoning
Cache poisoning
AlexandraLacatus
 
Blind xss
Blind xssBlind xss
Blind xss
Ronan Dunne, CEH, SSCP
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
Ronan Dunne, CEH, SSCP
 

More Related Content

What's hot

Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
Marco Morana
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
Daisuke_Dan
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
InMobi Technology
 

What's hot (20)

Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Xss ppt
Xss pptXss ppt
Xss ppt
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Cache poisoning
Cache poisoningCache poisoning
Cache poisoning
 

Viewers also liked

Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
Ronan Dunne, CEH, SSCP
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
Marco Balduzzi
 
Sagi kahalany the art of clickjacking
Sagi kahalany the art of clickjackingSagi kahalany the art of clickjacking
Sagi kahalany the art of clickjacking
Barry Schwartz
 

Viewers also liked (20)

Blind xss
Blind xssBlind xss
Blind xss
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
 
Content security policy
Content security policyContent security policy
Content security policy
 
Cross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload VulnerabilityCross Domain Hijacking - File Upload Vulnerability
Cross Domain Hijacking - File Upload Vulnerability
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
Click jacking
Click jacking Click jacking
Click jacking
 
Apache Multiview Vulnerability
Apache Multiview VulnerabilityApache Multiview Vulnerability
Apache Multiview Vulnerability
 
Clickjacking Attack
Clickjacking AttackClickjacking Attack
Clickjacking Attack
 
Click Jacking
Click JackingClick Jacking
Click Jacking
 
Qr codes
Qr codesQr codes
Qr codes
 
Mime sniffing
Mime sniffingMime sniffing
Mime sniffing
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
Unicode
UnicodeUnicode
Unicode
 
Sagi kahalany the art of clickjacking
Sagi kahalany the art of clickjackingSagi kahalany the art of clickjacking
Sagi kahalany the art of clickjacking
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
01.introduction
01.introduction01.introduction
01.introduction
 
Hadsec Redhat Administrator Centos Base
Hadsec Redhat Administrator Centos BaseHadsec Redhat Administrator Centos Base
Hadsec Redhat Administrator Centos Base
 
Wispi: Mini Karma Router For Pentester - Rama Tri Nanda
Wispi: Mini Karma Router For Pentester - Rama Tri NandaWispi: Mini Karma Router For Pentester - Rama Tri Nanda
Wispi: Mini Karma Router For Pentester - Rama Tri Nanda
 
SSLv3 and POODLE
SSLv3 and POODLESSLv3 and POODLE
SSLv3 and POODLE
 

Similar to Click jacking

Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
mydrynan
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
yashvirsingh48
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A J
bhardwajakshay
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
guestdb261a
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 

Similar to Click jacking (20)

.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Top security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid themTop security threats to Flash/Flex applications and how to avoid them
Top security threats to Flash/Flex applications and how to avoid them
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
 
XSS Exploitation
XSS ExploitationXSS Exploitation
XSS Exploitation
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
A Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web ApplicationsA Practical Guide to Securing Modern Web Applications
A Practical Guide to Securing Modern Web Applications
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Attacking Web Proxies
Attacking Web ProxiesAttacking Web Proxies
Attacking Web Proxies
 
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docxCross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
Cross-site scripting (XSS) AttacksCross-site scripting (XSS) i.docx
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
 
A4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A JA4 A K S H A Y B H A R D W A J
A4 A K S H A Y B H A R D W A J
 
React security vulnerabilities
React security vulnerabilitiesReact security vulnerabilities
React security vulnerabilities
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Attack with-html5
Attack with-html5Attack with-html5
Attack with-html5
 
Antiviruxss
AntiviruxssAntiviruxss
Antiviruxss
 
05370705
0537070505370705
05370705
 

Recently uploaded

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Click jacking

  • 1.
  • 2.  What is ClickJacking?  Demo  How Users can be Affected  Similarities with another Attack  How to protect Web Application  How to Identify Exploitable Web Application  How to test Applications  Previous ClickJacking Attacks  Summary
  • 3.  Discovered in 2008-Robert Hansen, Jeremiah Grossman as a way to perform cross-domain attacks by ‘hijacking 'user- initiated mouse clicks to perform actions that the user did not intend.  Attacker will choose a clickable region on a website that the user is currently authenticated on (e.g. a ‘Submit’ button that will perform a particular action).  To perform the attack, a malicious website will load a page from the website inside an iFrame made fully transparent and layered on top of another element on the site.
  • 4.  Previously Stated: ClickJacking is one of the more under rated attacks facing modern Web applications.  This is one reason it doesn’t find a mention in the OWASP Top 10 list so far but it is predicted to feature in the next version.
  • 5. A web page can embed another web page via iframe <iframe src="http://bing.com"></iframe> CSS opacity attribute: 1 = visible, 0 = invisible
  • 6.  Putting an evil invisible link on top of a legit visible link,
  • 8.  Opacity iFrame invisible
  • 10.  Users can be tricked into clicking on obscured user interface elements of an application and in so doing initiate actions against their will, Such as;  Adding an attacker to a victim’s social graph  Promoting the attacker’s content on a social network  Sending a payment to the attacker  Compromising the user’s session to impersonate the victim user on the application  Tricking the user into submitting sensitive credential information  Performing a privileged action on behalf of the user (Create or Delete accounts, etc..)
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.  Both want to trick the victim into requesting something that the attacker wants.  But ClickJacking allows them to CSRF a page that actually requires a manual click.  ClickJacking allows an attacker to bypass CSRF protections put in place by a website.  The user is tricked into submitting a form directly from the website itself, so there is no need for the attacker to know hidden or secret values in the form, such as CSRF tokens.
  • 18. Frame Busting  A page using this method will detect that is has been framed by another web site, and attempt to load itself in place of the site that is framing it (thus ‘busting out’ of the frame). Common Frame Busting Code <script type="text/javascript"> if (top != self) { //condition top.location = self.location; //counter action } </script>  However, a malicious site may try to use the onunload and onbeforeunload page events to prevent a framed site from navigating to a different URL.  Also JavaScript can be easily Disabled.
  • 19.
  • 20. X-Frame-Option Browser vendors are now implementing declarative methods such as X-Frame-Options3, first introduced by Microsoft in Internet Explorer 8. Web browsers that support this security feature will prevent a web page being displayed in an iFrame if the X-Frame-Options header is set by the page.
  • 21. Add X-Frame-Options on HTTP Response header  Allows an application to specify whether or not specific pages of the site can be framed.  Option 1: DENY HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “DENY”);  This option means the page can never be framed by any page, including a page with the same origin.  Option 2: SAMEORIGIN HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “SAMEORIGIN”);  This option means the page can be framed, but only by another page with the same origin  Option 3: Allow-From HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “Allow-From https://some.othersite.com”);  This option means the page can be framed, but only by the specified origin.
  • 22.  Important for Developers too add the X-Frame- Options Header Server Side as many users still use old browsers, leaving them at risk from ClickJacking.  Namely IE6 and IE7 don’t know about this header.
  • 23.  OWASP ZAP’s 1.4.0.1 Active Scan Alerts the user to this issue if the X-Frame-Option header is missing .  Also the Tester can capture the Response to verify Manually.
  • 24. Twitter  Exploit: Force twitter users to post a message Facebook  Exploit: Force users to Advertising and Affiliate Networks  Force users to click on ads for $$$ CYBER CRIME CASH $$$ Adobe Flash  Adjust the privacy settings to turn on the camera and microphone
  • 25.  Attackers can trick victim browsers into clicking on things in victim websites by putting that website in a transparent iframe.  We harden our sites through adding a new Response Header ‘X-Frame- Options’.  Many users still use old browsers, leaving them at risk from ClickJacking.  Also any client side validation with JavaScript is easily turned off. The good news  ClickJacking is simple to prevent. The bad news  The vulnerability is powerful and prevalent.  Many web applications have ClickJacking vulnerabilities.