My self : karan rawal

Branch : cyber
forensic information
security
 Overview
What is clickjacking
How clickjacking works
How users can be
affected
Clickjacking is like
csrf
How to protect
against clickjacking
Previous clickjacking
attacts
summery
 What is clickjacking ?
• Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by
clicking on some other content in a decoy website. Consider the following example:
• A web user accesses a decoy website (perhaps this is a link provided by an email) and clicks on a button to win a prize.
Unknowingly, they have been deceived bClickjacking is an interface-based attack in which a user is tricked into clicking on
actionable content on a hidden website by clicking on some other content in a decoy website. Consider the following example:
• A web user accesses a decoy website (perhaps this is a link provided by an email) and clicks on a button to win a prize.
Unknowingly, they have been deceived by an attacker into pressing an alternative hidden button and this results in the
payment of an account on another site. This is an example of a clickjacking attack. The technique depends upon the
incorporation of an invisible, actionable web page (or multiple pages) containing a button or hidden link, say, within an
iframe. The iframe is overlaid on top of the user's anticipated decoy web page content. This attack differs from
a CSRF attack in that the user is required to perform an action such as a button click whereas a CSRF attack depends
upon forging an entire request without the user's knowledge or inpu
• y an attacker into pressing an alternative hidden button and this results in the payment of an account on another site. This is
an example of a clickjacking attack. The technique depends upon the incorporation of an invisible, actionable web page (or
multiple pages) containing a button or hidden link, say, within an iframe. The iframe is overlaid on top of the user's
anticipated decoy web page content. This attack differs from a CSRF attack in that the user is required to perform an
action such as a button click whereas a CSRF attack depends upon forging an entire request without the user's
How clickjacking works
How clickjacking works with example
1. So basically when I click on the the red mark click
here I have redirect to other website
Explaining with html codes
 How users can be affected
Users can be tricked into clicking on obscured user interface elements of an application and in so doing
initiate actions against their will,
such as : adding an attacker to victim's social graph promoting the attacker's content on a social
network sending a payment to the
attacker compromising the
user's session to impersonate the victim user on the application Tricking the users
into submitting sensitive credential information performing a
privileged action on behalf of the user (create or delete account,etc...)
 Clickjacking is like CSRF
Both want to trick the victim into requesting something that
the attacker wats.
But the clickjacking allows them to CSRF a page that
actually require a manual click.
Clickjacking allows an attacker to bypass CSRF protections
put in a place by a website.
The users is tricked into submitting a from direct
from the website itself so there is no need for the attacker to
know hidden or secret values in the form, such as CSRF
tokens
 How to protect against clickjacking
• Frame busting
• A page using this method will detect that is has been framed by another web
site, and attempt to load itself in place of the site that is farming it(thus '
busting out ' of the frame )
• Common frame busting code
• <script type= "text/javascript"> //condition
• If (top !=self){ //counter
• Top.location =self.location;
• Action {
• </script>
• However ,a malicious site may try to use the onunload and onbeforeunload
page events to prevent to framed sire from navigating to a different URL
 Previous clickjacking attacts
• Twitter
• Exploit: force twitter users to post a message
• Facebook
• Exploit: force users to
• Advertising and affiliate networks
• Force users to click on adds for $$$ cyber crime cash $$$
• Adobe flash
• Adjust the privacy setting to turn on the camera and microphones
 Summary
Clickjacking is an attack that fools users into thinking they are clicking on
one thing when they are actually clicking on another.
an attack that tricks a user into clicking a webpage element which is
invisible or disguised as another elem
Clickjacking is a simple to prevent
The vulnerbility is powerfull and prevalent
Many web application have clickjacking vulnerabilities
 Thank you

This Photo by Unknown author is licensed under CC BY-SA.