-
8/11/2019 Hari Narayana - Copy
1/19
-
8/11/2019 Hari Narayana - Copy
2/19
Security Nightmare
-
8/11/2019 Hari Narayana - Copy
3/19
CONTENTS
AbstractIntroduction
Main Topic
Future Scope
ConclusionReferences
-
8/11/2019 Hari Narayana - Copy
4/19
ABSTRACT
Clickjacking attacks are an emerging threats on the web.
Clickjackicause severe damages, including compromising a users
private webcoother private data and web surfing anonymity.The root
cause of Clickjacking is tattacker application presents a sensitive
UI element of a target application context to a user,and hence the
user is tricked to act out of context.To address thicause mark the
UI elements which are sensitive and browsers enforce context
int
of user action on these sensitive UI elements,ensuring that user
caeverything.Recent studies states that these attacks have 43% to
98% of success ra
-
8/11/2019 Hari Narayana - Copy
5/19
-
8/11/2019 Hari Narayana - Copy
6/19
INTRODUCTION
Clickjacking is a malicious technique of tricking a webuser to
click on an invisible page.
The term Clickjacking was coined by JeremiahGrossman And Robert
Hansen.
Jeremiah GrossmanRobert Hansen
-
8/11/2019 Hari Narayana - Copy
7/19
CONTD..
Multiple applications or websites share a general display, they
are subjecte
the clickjacking.Attackers can trick the user into interacting
with the UI elements of antriggering actions not intended by the
user.
Clicking,touching and voice controlling are some of the actions
through wuser can be attacked.
When an attacker web page tricks users into clicking on Facebook
Li by transperantly overlaying on top of innocuous UI element,such
as Free ipad button.
Frame Busting is one of the anti clickjacking methods,but it is
fundamenincompatible with the embeddable third party widgets,such
as Facebook
buttons.
-
8/11/2019 Hari Narayana - Copy
8/19
-
8/11/2019 Hari Narayana - Copy
9/19
-
8/11/2019 Hari Narayana - Copy
10/19
ANTI-CLICKJACKING DEFENCES
Several Anti-Clickjacking methods have been Proposed and Some
ha
developed by the Browsers.Protecting Visual Context
User Conformation
UI Randomization
Opaque overlay policy
Framebusting
Visibility Detection on Click
Protecting Temporal Context
Access Control Gadgets
-
8/11/2019 Hari Narayana - Copy
11/19
-
8/11/2019 Hari Narayana - Copy
12/19
NEW ATTACK VARIANTS
Cursor Spoofing Attacks
-
8/11/2019 Hari Narayana - Copy
13/19
Double-Click Attacks
Double-Click Attack Page
-
8/11/2019 Hari Narayana - Copy
14/19
Whake-a-mole Attacks
Several Experiments are conducted on this new Attack Variants of
theClickjacking .
-
8/11/2019 Hari Narayana - Copy
15/19
Future Scope
Use of javascript to position the hidden Iframe
Use of URL fragment identifiers to accurately align theframe
content
Inject controlled text into a form field using the browser's
drag-and-drop API (HTML5)
same-origin policy does not applied here.
Java allow to override the default behavior.
initiate the drag with a simple click Steal the content (and
HTML) ocross-domain page.
-
8/11/2019 Hari Narayana - Copy
16/19
Conclusion
Survey of existing clickjacking attacks and defenses. Firstuser
study on the effectiveness of clickjackingattacks.Introduced the
concept of context integrity and used it todefine and characterize
clickjacking attacks and their rootcauses. Designed, implemented,
and evaluated InContext,a setof techniques to maintain context
integrity. Amazon MechanicalTurk show that our attacks are highly
effective with successrates ranging from 43% to 98%.
-
8/11/2019 Hari Narayana - Copy
17/19
References
F. Aboukhadijeh. HOW TO: Spy on the Webcams of YourWebsite
Visitors. http://www.feross.org/webcamspy/, 2011.
Adobe. Flash OBJECT and EMBED tag
attributes.http://kb2.adobe.com/cps/127/tn_12701.html, 2011.G.
Aharonovsky. Malicious camera spying using
ClickJackinghttp://blog.guya.net/2008/10/07/malicious-camera-spying-usingclickjacking/,
2L. C. Aun. Clickjacking with pointer-events. http://
jsbin.com/img.
-
8/11/2019 Hari Narayana - Copy
18/19
-
8/11/2019 Hari Narayana - Copy
19/19
