Wednesday, October 22, 2008 9:55 AM
cmosby
Clickjacking - McAfee Avert Labs Blog
Clickjacking
Wednesday October 15, 2008 at 5:11 am CST
Posted by Zhu Cheng
Trackback
Lately, the topic of clickjacking has gained popularity in discussions on the internet. It is a new type of web attack. I decided to find out what it’s all about.
I found an online video of OWASP NYC AppSec 2008 here. In the video, Jeremiah Grossman & Robert “RSnake” Hansen reported this new vulnerability in a presentation titled “New Zero-Day Browser Exploits –ClickJacking”. I also found a demo of this vulnerability here.
In the videos they describe only parts of the vulnerability, but it is enough for us to have a basic idea of what clickjacking is.
To explain this, let’s use an example. You have a web page A controlled by an attacker. A contains an IFRAME element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via CSS. B will also need to be so big so that the user can click it’s content. The attacker can then place any button to do anything he wants in B. Then the attacker can place some buttons on page A. The location of the buttons in B must match the buttons in A. So when the user clicks on a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML, does not require Javascript, so disabling Javascript will not help.
This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich media internet application today. Adobe has released a security advisory and provided a workaround.
We will continue to monitor for new information about this vulnerability.
Filed under: Security and Anti-Virus, Internet Hacks, Spam\Phishing, Cybercrime