Presentation is loading. Please wait.

Presentation is loading. Please wait.

New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow."— Presentation transcript:

1 New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow

2 What is ClickJacking? “The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants.” Ehab Ashary 12/8/2010 2

3 Why Should I care? It is transparent Simple to implement Difficult to stop No one has yet come up with an effective solution SQL Injection 1,440,000 Google Results ~ 12 year old Cross-Site Scripting xss 1,150,000 Google Results ~ 14 year old ClickJacking 265,000 Google Results ~ 2 year old Ehab Ashary 12/8/2010 3

4 How? It is all about iFrame. Any site can frame any other site HTML attributes:  Style, layouting HTML element  Opacity defining the visibility percentage of the iFrame o1.0 complete visible o0.0 complete invisible Ehab Ashary 12/8/2010 4

5 Facebook, Like or Unlike Ehab Ashary 12/8/2010 5

6 Facebook, Like or Unlike Ehab Ashary 12/8/2010 6

7 Facebook, Like or Unlike Ehab Ashary 12/8/2010 7

8 Facebook, Like or Unlike http://www.facebook.com/plugins/like.php?href=http:// www.victoriassecret.com/&layout=button_count&s how_faces=false&width=50&action=like&colo rscheme=light&height=21 Ehab Ashary 12/8/2010 8

9 Mitigation Techniques HTTP Response Header: X-Frame-Option  Internet Explorer 8+, Opera 10.5+, Safari 4+, Chrome 4  Deny, prevents the page from being rendered if it’s within a frame  SameOrigin, prevents the page from rendering if it’s within a frame from another top-level domain Header append X-FRAME-OPTIONS "SAMEORIGIN" Header append X-FRAME-OPTIONS "DENY" Frame Busting Script  Used to determine if site is being rendered in a frame  Can be defeated If (top.location.hostname != self.location.hostname) top.location.href = self.location.href Ehab Ashary 12/8/2010 9

10 Mitigation Techniques Use Non-graphical Web browser, Lynx Install NoScript Firefox plug-in, which blocks embedded content from untreated domains Trust no one on the Internet Ehab Ashary 12/8/2010 10

11 References www.webmonkey.com New Insights into Clickjacking OWASP AppSec Research 2010 www.owasp.org Next Generation Clickjacking.New attacks against framed web pages -Black Hat Europe, 14thApril 2010 www.contextis.co.uk www.contextis.co.uk http://noscript.net/ http://lynx.browser.org/ Ehab Ashary 12/8/2010 11

12 Questions? Ehab Ashary 12/8/2010 12

Download ppt "New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow."

Similar presentations

HTML Basics Customizing your site using the basics of HTML.

HTML Basics Customizing your site using the basics of HTML.
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Ideas to Layout Beginning web layout using Cascading Style Sheets (CSS). Basic ideas, practices, tools and resources for designing a tableless web site.

Ideas to Layout Beginning web layout using Cascading Style Sheets (CSS). Basic ideas, practices, tools and resources for designing a tableless web site.
HTTP Request/Response Process 1.Enter URL (http://server.com) in your browser’s address bar. 2.Your browser uses DNS to look up IP address of server.com.

HTTP Request/Response Process 1.Enter URL ( in your browser’s address bar. 2.Your browser uses DNS to look up IP address of server.com.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
HTML 5. What is HTML5? HTML5 will be the new standard for HTML, XHTML, and the HTML DOM. The previous version of HTML came in 1999. The web has changed.

HTML 5. What is HTML5? HTML5 will be the new standard for HTML, XHTML, and the HTML DOM. The previous version of HTML came in The web has changed.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.

Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1.

(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1.
HTML 5 Tutorial Chapter 1 Introduction. What is HTML5? HTML5 will be the new standard for HTML, XHTML, and the HTML DOM. The previous version of HTML.

HTML 5 Tutorial Chapter 1 Introduction. What is HTML5? HTML5 will be the new standard for HTML, XHTML, and the HTML DOM. The previous version of HTML.
Lecture 18. HTML5 and JavaScript Instructor: Jie Yang Department of Computer Science University of Massachusetts Lowell 91.113 Exploring the Internet,

Lecture 18. HTML5 and JavaScript Instructor: Jie Yang Department of Computer Science University of Massachusetts Lowell Exploring the Internet,
Chapter 14 Introduction to HTML

Chapter 14 Introduction to HTML
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Audio and Video on the Web Sec 5-12 Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Audio and Video on the Web Sec 5-12 Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Similar presentations

Ads by Google