Upgrade to Pro — share decks privately, control downloads, hide ads and more …

I haz your mouse clicks and key strokes

I haz your mouse clicks and key strokes

This talk is not about key loggers and such!

This intentionally funny and technically light talk+demo will show you how and what are User Interface Redressing Attacks.

Web Applications using HTML5 + JavaScript + CSS + Modern Browsers are vulnerable to attacks such as Clickjacking, Strokejacking, Cursor Tracking, Unxploitable XSS and Facebook Like attacks.

TL;DR Cool demo and simple to understand explaination of ClickJacking

Avatar for Akash Mahajan

Akash Mahajan

April 22, 2012
Tweet

More Decks by Akash Mahajan

Other Decks in Technology

Transcript

  1. click · jack · ing |klɪk ˈdʒækɪŋ| verb 1. User

    Interface redress attack, UI redress attack, UI Redressing 2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes
  2. Frame Bursting / Frame Killers i f ( t o

    p . l o c a t i o n != l o c a t i o n ) t o p . l o c a t i o n = s e l f . l o c a t i o n ;
  3. Best JavaScript code for Frame Bursting <s t y l

    e >html f v i s i b i l i t y : h i d d e n g</ s t y l e > <s c r i p t > i f ( s e l f == t o p ) f document . documentElement . s t y l e . v i s i b i l i t y = ’ v i s i b l e ’ ; g e l s e f t o p . l o c a t i o n = s e l f . l o c a t i o n ; g </ s c r i p t >
  4. X-Frame-Options • Used to prevent Clickjacking • Doesn’t allow page

    to be rendered in a frame • DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin • IE8+, FF4+, Chrome5+
  5. References • Keyboard Cat CC NC SA http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/ • I

    haz your mouse clicks and key strokes http://cheezburger.com/6135914240 • Just One question http://www.quickmeme.com/meme/3ow548/ • Slides 6 and 7 from https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for- shells_PDF-version.pdf • http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf • (NoScript image source: Andrew Mason's Flickr photostream). • http://erickerr.com/like-clickjacking • http://arnab.org/blog/reputation-misrepresentation • http://erickerr.com/misc/like-clickjacking.js • http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/ • http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html