1. CLICKJACKING :
A WEB PAGE STEALS YOUR SOCIAL
INTERACTIONS
Faysal Hossain Shezan
CSE,BUET
2. REFERENCE
CLICKJACKING : A WEB PAGE CAN HEAR and SEE YOU
Article
Publishing Year 2014/15
Clickjacking: Attacks and Defenses
Presented as part of the 21st USENIX Security Symposium (USENIX Security 12)
Publishing Year 2012
3. OVERVIEW
Root cause of clickjacking is identified
New variants of ClickJacking attack
Drawbacks of existing defense
Proposing a new defense mechanism
A survey on Amazon Mechanical Turk with 2064 participants
4. WHAT IS CLICKJACKING?
•User click is hijacked in order to perform some action of
hacker's interest
•Known as "UI redress attack“
•Attacker uses multiple transparent or opaque layers to
trick a user into clicking on a button or link on another
page when they were intending to click on the top level
page
9. HOW DOES IT OCCUR?
•The target page is constructed to lure the victim to
click on an object.
•The click action is made to land on some other object
and hence used to perform an action that the victim
did not intended.
This is the root cause.
10. HOW DOES IT OCCUR?
Frame busting to thwart Cross Frame Scripting attack
code snippet:
<script type="text/JavaScript">
if(top != self) top.location.replace(location);
</script>
Page could be framed. Parent frame control the entire display shown to the user
which tricks user to click hidden child frame
11. THREAT TO USER
•Tricking users into enabling their webcam and microphone through Flash
•Tricking users into making their social networking profile information public Downloading and
running a malware (malicious software) allowing to a remote attacker to take control of
others computers Making users follow someone on Twitter
•Sharing or liking links on Facebook
•Getting likes on Facebook fan page or +1 on Google Plus
•Clicking Google AdSense ads to generate pay per click revenue
•Playing YouTube videos to gain views
•Following someone on Facebook
13. STEPS TAKEN SO FAR…
X-Frame-Options gave three options:
X-Frame- Options: DENY
X-Frame- Options: SAMEORIGIN
X-Frame- Options: ALLOW-FROM www.xyz.com
Drawback of XFO
SAMEORIGIIN
15. COMPROMISING TARGET DISPLAY INTEGRITY
Attacker creates an illusion for the victim
Irritating for legitimate object over a target object
Victim gets confused and clicks on the object
Actual click lands media site to gain specific information on the target
17. COMPROMISING TARGET DISPLAY INTEGRITY
LikeJacking
• Attacker presents a web
frame that contains two
iframe stacked over one
another
• Lower frame designed with a
Facebook “Like” button
• Upper frame shows some
attractive content
18. COMPROMISING TARGET DISPLAY INTEGRITY
Tweet Bomb
• Mulltiple dummy accounts
• Sending large number of
tweets in a short interval
• Become the trending topic in
tweeter
19. COMPROMISING POINTER INTEGRITY
•Attacker displays blinking cursor in a
text field
•Victim clicks in the text field and his click
is hijacked
• Attacker displays a fake cursor
icon
• Victim gets confused and then
misinterprets the cursor
20. COMPROMISING POINTER INTEGRITY
Cursorjacking
• Attacker display a false cursor which
is away from the actual one
• Wrong perception of the actual
position of the cursor
• Custom mouse cursor icon which is
shifted a few pixels away from the
actual spot
http://koto.github.io/blog-kotowicz-net-
examples/cursorjacking/
21. COMPROMISING POINTER INTEGRITY
Strokejacking
•Blinking cursor which asks for a keyboard input
•Attacker switch keyboard focus to the target element
•Blinking cursor confuses victims into thinking that they are typing text into the
attacker’s input field, whereas they are actually interacting with the target element.
22. COMPROMISING TEMPORAL INTEGRITY
Bait and switch
• Mouse comes near “claim your
free iPad” button, like moves to its
location before the user realizes
it.
23. COMPROMISING TEMPORAL INTEGRITY
•Attacker captures the mouse hovering event
•When the click is just about to launch , attacker swaps the position of the target
element and the decoy element
•To increase the probability of success attacker may ask the victim to click multiple
times or double click
24. CLICKJACKING THROUGH ONLINE GAMING
• Dummy web page that contains
an online game
• Attacker places the play button
below the transparent facebook
Like button
25. NEW ATTACK VARIANTS
•Attack Technique: Cursor
spoofing
•Attack Success: 43%
•Fake cursor is displayed to
the user
•Loud video or audio
automatically plays
26. NEW ATTACK VARIANTS
•Attack Technique: Popup Window
•Attack Success: 47%
•Attacker lure the victim to perform
double click
•After first click Google OAauth
pops up and attacker steals the
private data
27. NEW ATTACK VARIANTS
•Attack Technique: Cursor Spoofing +
Fast-paced Clicking
•Attack Success: 98%
•Known as Whack a mole attack
•User needs to click on an object to
get the reward
•Suddenly Object is replaced by
facebook Like button
30. INCONTEXT DEFENSE
Goal:
•Does not require user prompts
•Provides point integrity protection
•Supports target elements that require arbitrary third-party embedding
•Does not break existing sites
31. INCONTEXT DEFENSE
Ensuring Visual Integrity
•Find the Sensitive Element
•compares the cropped screenshot
with the reference bitmap
•ClickJacking detects when mismatch
found
34. • Mute the speaker when sensitive elements interacts
- Attack success: 43%
- Attack success (Mute + Freeezing): 2%
INCONTEXT DEFENSE
Ensuring visual integrity of pointer
35. INCONTEXT DEFENSE
Ensuring visual integrity of pointer
• Lightbox effect around pop up dialog
- Attack success: 43%
- Attack success ( Lightbox + Freezing +
Mute): 2%
• No programmatic cross-origin keyboard
focus changes
36. INCONTEXT DEFENSE
Ensuring Temporal Integrity
•UI delay after pointer entry
•Point re-entry on a newly visible sensitive element
• When a sensitive UI element first appears or is moved to a location
where it will overlap with the current location of the pointer, user needs
to re-entry
•Padding area around sensitive element
39. CONCLUSION
•This paper introduce a new mechanism to prevent clickjacking
•From the survey, the effectiveness of the InContext defense mechanishm is
showed
•New Variants of attacks are raising
•Need to detect other techniques of clickjacking and find a way to thwart those