Tuesday 30 December 2014

Clickjacking







What is Clickjacking:

Clickjacking attack allows to perform an action on victim website, Mostly Facebook and Twitter accounts are targetable.
when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top
level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both. It may be similar to CSRF Cross Site Request Forgeries Attack. 


Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in
2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.


Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they
are typing in the password to their email or bank account, but are instead typing into
an invisible frame controlled by the attacker.


At present this attack mostly use on social network websites like Facebook and twitter, Because this attack is used by convinced victim for click on the link and SocialNetwork website might be very useful for attack on victim.

One famous example of clickjacking is Facebook.






Code:

 <style>
 iframe { /* iframe from facebook.com */
  width:300px;
  height:100px;
  position:absolute;
  top:0; left:0;
  filter:alpha(opacity=50); /* in real life opacity=0 */
  opacity:0.5;
}
</style>

<div>Click on the link to get more followers:</div>
   
<iframe src="/files/tutorial/window/clicktarget.html"></iframe>

<a href="http://www.google.com" target="_blank" style="position:relative;left:20px;z-index:-1">CLICK ME!</a>

<div>You'll be get 10000 followers..!!</div>

Output:
Click on the link to get more followers
Click Me
You'll be get 10000 followers..!!


Download
ClickJacking Tool


For Defence:
Clickjacking Protection



For more information:
OWASP

No comments:

Post a Comment

ADD THE FACEBOOK WIDGET CODE HERE