I haz your mouse clicks and key strokes

Transcript

1. I haz your mouse clicks & key strokes Akash Mahajan

   @ MetaRefresh 2012

2. click · jack · ing |klɪk ˈdʒækɪŋ| verb 1. User

   Interface redress attack, UI redress attack, UI Redressing 2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
3. None
4. None
5. None
6. None
7. None

8. How to like anything on Facebook/Internet

9. Flash Settings Player : Because SWF files can be iframed!

10. Twitter Don’t Click Attack

11. REAL FAKE FAKE REAL

12. Mitigations • Frame Bursting –Why it fails • X Frames

    Header

13. Frame Bursting / Frame Killers i f ( t o

    p . l o c a t i o n != l o c a t i o n ) t o p . l o c a t i o n = s e l f . l o c a t i o n ;

14. Best JavaScript code for Frame Bursting <s t y l

    e >html f v i s i b i l i t y : h i d d e n g</ s t y l e > <s c r i p t > i f ( s e l f == t o p ) f document . documentElement . s t y l e . v i s i b i l i t y = ’ v i s i b l e ’ ; g e l s e f t o p . l o c a t i o n = s e l f . l o c a t i o n ; g </ s c r i p t >

15. X-Frame-Options • Used to prevent Clickjacking • Doesn’t allow page

    to be rendered in a frame • DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin • IE8+, FF4+, Chrome5+

16. Akash Mahajan That Web Application Security Guy http://akashm.com | @makash

    [email protected] | 9980527182

17. References • Keyboard Cat CC NC SA http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/ • I

    haz your mouse clicks and key strokes http://cheezburger.com/6135914240 • Just One question http://www.quickmeme.com/meme/3ow548/ • Slides 6 and 7 from https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for- shells_PDF-version.pdf • http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf • (NoScript image source: Andrew Mason's Flickr photostream). • http://erickerr.com/like-clickjacking • http://arnab.org/blog/reputation-misrepresentation • http://erickerr.com/misc/like-clickjacking.js • http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/ • http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html