Jacking Drishti Wali Prashant Kumar. UI Redress Attack  Clickjacking also known as "UI redress attack or User Interface redress attack", is a malicious.

Slides:



Advertisements
Similar presentations
Ease of Access and Assistive Technology on Windows 7 Computer Access for Individuals with Visual Impairments.
Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
Working with Behaviors in DW Marion Setton. You may be familiar with divs and how to construct them generally using Dreamweaver CS5, but you can also.
Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012 Clickjacking:
Sriram DRUPAL GCI What is a drop down menu? A drop down menu is a menu of options that appears when an item is selected with a mouse. The item.
How to get #MaidenheadAstro ‘tweets’ on your mobile phone 1.
Clickjacking Attacks and Defenses.
Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
Chapter 6 Photoshop and ImageReady: Part II The Web Warrior Guide to Web Design Technologies.
CS 361S Clickjacking Vitaly Shmatikov. slide 2 Reading Assignment u“Next Generation Clickjacking” u“Clickjacking: Attacks and Defenses”
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
Ch. 6 Web Page Design – Absolute Positioning, Image Maps, and Navigation Bars Mr. Ursone.
Clickjacking: Attacks and Defenses Lin-Shung Huang, Alexander Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon University.
New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.
Macromedia Dreamweaver 4 Advanced Level Course. Add Rollovers Rollovers or mouseovers are possibly the most popular effects used in designing Web pages.
CE-6 Discussion Tool Faculty Features. New Location – Always in “Course Tools” Column.
Adobe Connect User Guide. Adobe Connect Meeting is an online-based tool that lets you to connect with colleagues, classmates, or anyone else around the.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
 What I hate about you things people often do that hurt their Web site’s chances with search engines.
Video on the Web. The Evolution of web video formats… WebM (Supported by Google) Ogg (Supported by Theora) Mp4 (h264 video encoding) WebM (Supported by.
Social Media Attacks By Laura Jung. How the Attacks Start Popularity of these sites with millions of users makes them perfect places for cyber attacks.
1 Forms A form is the usual way that information is gotten from a browser to a server –HTML has tags to create a collection of objects that implement this.
© Cheltenham Computer Training 2001 Macromedia Dreamweaver 4 - Slide No 1 Macromedia Dreamweaver 4 Advanced Level Course.
Topshare websites consists of two area’s: A public domain and a Secure domain. The public domains are regular website, viewable for everyone with a internet.
1 Direct Manipulation Proposal 17 Direct Manipulation is when physical actions are used instead of commands. E.g. In a word document when the user inputs.
Web Research © Copyright William Rowan Objectives By the end of this you will be able to: Use search engines and *URL’s on the internet as a research.
Adobe Flash CS5.5. What is Adobe Flash? formerly Macromedia Flash Is software is a powerful authoring environment for creating animation and multimedia.
Securing Embedded User Interfaces: Android and Beyond Franziska Roesner and Tadayoshi Kohno University of Washington Mohamed Grissa A presentation of USENIX.
Style Sheets for Print and Mobile Media Types Supplemental Material.
© 2010 Delmar, Cengage Learning Chapter 8 Collecting Data with Forms.
Standard Grade Presentations & Multimedia. Presentation & Multimedia Software Allows the user to set up exciting and attractive documents which helps.
Interactive Client-Side Technologies MMIS 656 Web Design Technologies Acknowledgements: Estrella, S. (2003). The Web Wizard’s Guide to DHTML and CSS.
Windows and frames and the anchor tag. Frames Independent, scrollable portions of a Web browser window, with each frame capable of containing its own.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Ch. 8 Web Page Design – Animation and Behaviors Mr. Ursone.
Windows and frames and the anchor tag. Frames Independent, scrollable portions of a Web browser window, with each frame capable of containing its own.
Web Foundations MONDAY, OCTOBER 7, 2013 LECTURE 7: CSS LINK COLORS, INTERMEDIATE CSS.
FACEBOOK Material adapted from
Tutorial 7 Creating Animations. XP Objectives Learn about animation Create a timeline Add AP divs and graphics to a timeline Move and resize animation.
Chapter 11 Adding Media and Interactivity. Chapter 11 Lessons Introduction 1.Add and modify Flash objects 2.Add rollover images 3.Add behaviors 4.Add.
Lecture 6: Dynamic Pages..  Simple Dynamic Pages:  Rollovers.  Popup menus (idea).  Translucence (“opacity”/”alpha”).  Positioning and overflow:
Department of Computer Science, Florida State University CGS 3066: Web Programming and Design Spring Forms, HTML5 layout.
Cascading Style Sheets CSS2 - a bit more advanced.
The Web Wizard’s Guide To DHTML and CSS Chapter 2 A Review of CSS2 and JavaScript.
Project 7: Exploring DHTML Essentials for Design JavaScript Level Two Michael Brooks.
Adapted from  2004 Prentice Hall, Inc. All rights reserved. Clickjacking.
Adding Interactivity Comp 140 Fall Web 2.0 Major change in internet usage –From mostly static pages Text Graphics Simple links –To new paradigm.
Adware and Browser Hijacker – Symptoms and Preventions /killmalware /u/2/b/ /alexwaston14/viru s-removal/ /channel/UC90JNmv0 nAvomcLim5bUmnA.
HTML Structure II (Form) WEEK 2.2. Contents Table Form.
By : Praveen Tiwari.  It is a malicious technique of tricking a web user into clicking on something different to what the user perceives they are clicking.
Teaching slides Chapter 6. Chapter 6 Software user interface design & construction Contents Introduction Graphical user interface – Rich window based.
Social Media Attacks.
Objective % Select and utilize tools to design and develop websites.
Online Social Network: Threats &
TITLE GOES HERE Your Subtitle PROFESSIONAL STARTER BUSINESS UNLIMITED
Conferences Presenter Guide
TITLE GOES HERE Your Subtitle PROFESSIONAL STARTER BUSINESS UNLIMITED
AJAX.
Phishing is a form of social engineering that attempts to steal sensitive information.
Tutorial Dynamic Health Administrator Functions support.ebsco.com.
Objective % Select and utilize tools to design and develop websites.
The Web Wizard’s Guide To DHTML and CSS
Facebook: Getting Started
Web Programming and Design
Service Access Management Tool Notification Preferences
Cross Site Request Forgery (CSRF)
Presentation transcript:

Jacking Drishti Wali Prashant Kumar

UI Redress Attack  Clickjacking also known as "UI redress attack or User Interface redress attack", is a malicious technique in which an attacker tricks a user into clicking on a button or link on another webpage while the user intended to click on the top level page. slide 2

Clicking in the Wild uGoogle search for “clickjacking” returns 6,98,000 results… So, this is not a hypothetical threat! uMany attacks against Facebook & Twitter. Must have happened with some of you. People have given some fancy names: likejacking A Facebook user is lured into clicking on a link, having been promised the chance to see a shocking video or other salacious content If victim is logged in, likes a page and automatically recommends link to new friends as soon as the page is clicked on. (So, next time you see a shocking video notification on fb, watch out) Users send out tweets against their will. slide 3

Clickjacking Meets Spamming slide 4 Clickjacking also made the news in the form of a Twitter worm. This attack convinced users to click on a button which caused them to re- tweet the location of the malicious page, and propagated massively.Twitter worm

Adobe Flash Webcam Jacking uOne of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings pageAdobe Flash plugin settings page uBy loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer's microphone and camera. slide 5

uAttacker overlays multiple transparent or opaque frames to trick a user into clicking on a button or link on another page uClicks meant for the visible page are hijacked and routed to another, invisible page. For e.g.: In the above fig. twitter being the invisible page. How its done ! slide 6

It’s All About iFrame uCode allowtransparency attribute of iframe is set to true. Opacity (in css) defines visibility percentage of the iframe –1.0: completely visible –0.0: completely invisible slide 7

Hiding the Target Element  Use CSS opacity property and z-index property to hide target element and make other element float under the target element The z-index property specifies the stack order of an element. An element with greater stack order is always in front of an element with a lower stack order.  Using CSS pointer-events: The element is never the target of mouse events; however, mouse events may target its descendant. Click z-index: -1 opacity: 0.1pointer-event: none Click slide 8 [“Clickjacking: Attacks and Defenses”]

Fake Cursors There are other ways to hijack the click. For e.g.:  Use CSS cursor property and JavaScript to simulate a fake cursor icon on the screen slide 9 [“Clickjacking: Attacks and Defenses”] Real cursor iconFake cursor icon cursor: none

Compromising Temporal Integrity uManipulate UI elements after the user has decided to click, but before the actual click occurs slide 10 [“Clickjacking: Attacks and Defenses”] Click

Keyboard “Strokejacking” uA similar technique can be used to hijack keystrokes. Carefully drafting a combination of stylesheets, iframes, buttons and text boxes, a user can be led into believing that they are typing the password or other information on some authentic webpage while it is being channelled into an invisible frame controlled by the attacker. slide 11 [“Clickjacking: Attacks and Defenses”] Transfer Bank Transfer Bank Account: ________ Amount: ___________ USD Typing Game Type whatever screen shows to you Xfpog95403poigr06=2kfpx [__________________________] Attacker’s page Hidden iframe within attacker’s page

Prevention uThere are many ways to limit these attack e.g.: Noscript addon (firefox), frame busting, frame killer, declaring framing options using X-frame options, etc. But we won’t be talking about those. slide 12

slide 13

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.