CLICKJACKING

• What is Clickjacking ?

Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

Clickjacking involves generating a fake graphical overlay on top of an existing Web page in order to visually change the Web page while preserving its functionality (buttons, forms, etc.). This is done with the intension of misleading users to interact with the hidden Web page while they believe they are interacting with a completely different Web site.

• Description:

Using only CSS Z-INDEX and HTML IFRAME, an attacker can create a transparent victim web page that contains privileged buttons. Underneath this transparent IFRAME, the attacker puts content, like a game, that entices the user to click. You may think you're playing a game, when you're actually starting a webcam recording.

Sample Script Code:

<html></html>
<div style="z-index:2; position:absolute;top:0; left:0;width: 70%; height:70%">
<iframe src="http://www.facebook.com/home.php?" id="frame1" style="opacity:0.4;filter:alpha(opacity=40); " width="100%" height="100%" onmouseover="this.style.opacity=.5;this.filters.alpha.opacity=50" onmouseout="this.style.opacity=0;this.filters.alpha.opacity=0"/></iframe></div>
<div align="right" style="position:absolute; top:0; left:0; z-index:1; width: 70%;height:70%; background-color: yellow;text-align:left;">
<strong>This is an example of how a simple clickjacking attack is done by a malicious site.</strong><br/></div>

Example-1:

In this example, an attacker carries the clickjacking attack using a technique called IFrame overlays. In this technique, the malicious Web page includes code that generates the fake UI and an IFrame that points to an email application at a different domain. When the two are combined the top-level page covers portions of the IFrame in order expose only the “Yes” button and the user can be easily tricked into deleting all messages in his inbox.

Example-2:

One of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings page. By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer's microphone and camera.

Example-3:

ClickJacking is similar to many others scams which attacked Facebook over the years. It attracts users with status like “OMG This Guy Went a Little Too Far with His Revenge on His Ex-Girlfriend”. On clicking the link it asks users to complete a validation test to ensure that the response is not computer. However, by responding users are actually clicking Facebook’s “share” and “like” buttons, while also posting the message to their wall.

• Protection:

The best defense against ClickJacking attacks is to use Firefox with the NoScript add-on installed.

Default protections that NoScript has provided for a long time, i.e. JavaScript and plugin blocking can prevent most clickjacking attacks. Since version 1.8.2, NoScript provides a new default kind of protection called ClearClick, which defeats clickjacking no matter if you block frames or not .

Happy Hacking...Enjoy...

For educational purpose only...Do not misuse it...