Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I haz your mouse clicks and key strokes

Akash Mahajan
April 22, 2012
Technology
1
120

I haz your mouse clicks and key strokes

This talk is not about key loggers and such!

This intentionally funny and technically light talk+demo will show you how and what are User Interface Redressing Attacks.

Web Applications using HTML5 + JavaScript + CSS + Modern Browsers are vulnerable to attacks such as Clickjacking, Strokejacking, Cursor Tracking, Unxploitable XSS and Facebook Like attacks.

TL;DR Cool demo and simple to understand explaination of ClickJacking

Akash Mahajan

April 22, 2012
Tweet

More Decks by Akash Mahajan

See All by Akash Mahajan
Getting Started with Cloud Native Security for Security Pros
makash
0
99
Secure Software Development For Cloud (AWS) Teams
makash
1
390
On Writing Well
makash
0
160
Minimum Viable Security for Startups
makash
1
79
Reliable Automated Cloud Native Security Operations
makash
0
180
Doing SecOps for the Cloud using CloudNative
makash
1
320
OSINT Techniques for Pwning FinTech
makash
1
310
Secrets In Our Clouds
makash
0
180
It's The Threat Model Silly
makash
0
250

Other Decks in Technology

See All in Technology
いまならこう作りたい AWSコンテナ[本格]入門ハンズオン 〜2024年版 ハンズオンの構想〜
horsewin
9
2.1k
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
4k
大規模データ基盤チームのオンプレTiDB運用への挑戦 / dpu-tidb
cyberagentdevelopers
PRO
1
110
Figma Dev Modeで進化するデザインとエンジニアリングの協働 / figma-with-engineering
cyberagentdevelopers
PRO
1
430
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
5
49k
クライアントサイドでよく使われる Debounce処理 をサーバサイドで3回実装した話
yoshiori
1
150
omakaseしないための.rubocop.yml のつくりかた / How to Build Your .rubocop.yml to Avoid Omakase #kaigionrails
linkers_tech
3
730
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170
グローバル展開を見据えたサービスにおける機械翻訳プラクティス / dp-ai-translating
cyberagentdevelopers
PRO
1
150
Aurora_BlueGreenDeploymentsやってみた
tsukasa_ishimaru
1
120
APIテスト自動化の勘所
yokawasa
7
4.1k
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
640

Featured

See All Featured
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
22k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
Code Reviewing Like a Champion
maltzj
519
39k
RailsConf 2023
tenderlove
29
880
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
41
2.1k
Gamification - CAS2011
davidbonilla
80
5k
How GitHub (no longer) Works
holman
311
140k
[RailsConf 2023] Rails as a piece of cake
palkan
51
4.9k
Art, The Web, and Tiny UX
lynnandtonic
296
20k
A better future with KSS
kneath
238
17k
Rails Girls Zürich Keynote
gr2m
93
13k

Transcript

  1. I haz your mouse clicks & key strokes Akash Mahajan

    @ MetaRefresh 2012

  2. click · jack · ing |klɪk ˈdʒækɪŋ| verb 1. User

    Interface redress attack, UI redress attack, UI Redressing 2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
  3. None
  4. None
  5. None
  6. None
  7. None

  8. How to like anything on Facebook/Internet

  9. Flash Settings Player : Because SWF files can be iframed!

  10. Twitter Don’t Click Attack

  11. REAL FAKE FAKE REAL

  12. Mitigations • Frame Bursting –Why it fails • X Frames

    Header

  13. Frame Bursting / Frame Killers i f ( t o

    p . l o c a t i o n != l o c a t i o n ) t o p . l o c a t i o n = s e l f . l o c a t i o n ;

  14. Best JavaScript code for Frame Bursting <s t y l

    e >html f v i s i b i l i t y : h i d d e n g</ s t y l e > <s c r i p t > i f ( s e l f == t o p ) f document . documentElement . s t y l e . v i s i b i l i t y = ’ v i s i b l e ’ ; g e l s e f t o p . l o c a t i o n = s e l f . l o c a t i o n ; g </ s c r i p t >

  15. X-Frame-Options • Used to prevent Clickjacking • Doesn’t allow page

    to be rendered in a frame • DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin • IE8+, FF4+, Chrome5+

  16. Akash Mahajan That Web Application Security Guy http://akashm.com | @makash

    [email protected] | 9980527182

  17. References • Keyboard Cat CC NC SA http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/ • I

    haz your mouse clicks and key strokes http://cheezburger.com/6135914240 • Just One question http://www.quickmeme.com/meme/3ow548/ • Slides 6 and 7 from https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for- shells_PDF-version.pdf • http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf • (NoScript image source: Andrew Mason's Flickr photostream). • http://erickerr.com/like-clickjacking • http://arnab.org/blog/reputation-misrepresentation • http://erickerr.com/misc/like-clickjacking.js • http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/ • http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html