CLICKJACKING COUNTERMEASURES

https://addons.mozilla.org/en-US/firefox/addon/noscript/

The link of the tool that is used in Firefox against ClickJacking, you need to install No Script. This free, open source add-on will only allow JavaScript, Java, Flash and other plugins to be executed by sites you trust; all scripting is blocked by default. When you visit any website you will find the option on the down side.

Fig 1: Options add-on

You have multiple option to choose from either stop some script to run and allow some script to run, beside it you can allow the entire website to run as well as you can stop to complete website or simply block it. What you do for trusted website click it on option and allow you trusted website, but when you are visiting about an tentative website so be careful and allow NoScript to do the job.

Fig 2: Enable iframe

There are so many options beside it like tracking site and ad host etc. Clickjacking you needed to enable the Forbid <IFRAME> and possibly apply these restrictions to trust sites as well NoScript options.

Fig 3: Clickjacking blocking alert

When you are enabling the Forbid <IFRAME> it will block the clickjacking IFRAME.

CLICKJACKING TOOL

Introduced by Stone at the Black Hat Europe in 2010, it is visualize clickjacking techniques in practice. This tool can be used to craft and replay various clickjacking techniques against web sites that have not yet implemented clickjacking protection. This tool has been tested in Firefox 3.6 and Internet Explorer 8.

Download the Clickjacking tool link: http://www.contextis.com/research/tools/clickjacking-tool/

Fig 1: Clickjacking Practice Tool

Online Clickjacking Sample Page

http://myweb.wit.edu/duffj2/Homework/clickjack.html

Click the above URL it’s a real time sample page. This is simple example of clickjacking; it will show the top of a visible dummy page and bottom of the transparent or target page.

Fig 2: Clickjacking dummy page

User sees the top of a visible dummy page

Fig 3: Clickjacking Invisible page

Inside Clickjacking the invisible page

BASIC CLICKJACKING

A typical clickjacking attack uses two nested iframes to crop and position an element from a target website. The inner iframe contains the target page and must be large enough to display it in its entirety, such that the element on which the user will click is visible without scrolling. The outer iframe is much smaller and acts as a window onto the page loaded in the inner iframe. For a user interface redressing attack, the outer iframe should only be large enough to display the targeted element . You think you are clicking on the website you see but no, you are really clicking on an invisible website you cannot see that’s right under your mouse. Clickjacking affects many browsers and platforms.

Inner.html.h

1. <iframe id =" inner " src =" http :// www.google.com " width ="2000" height ="2000" scrolling =" no" frameborder =" none ">

2.      </iframe >

Fig 1: Inner.html

Clickjacking.html.

1. <iframe id =" inner " src =" inner.html " width ="2005" height ="290" scrolling =" no" frameborder =" none "></ iframe >
2. <style type =" text /css "><!--
3. # inner { position : absolute ; left : -1955 px; top : -14 px ;}
4. //--></ style >

Trustedpage.html

1. <h1 >www .nds .rub .de </h1 >
2. <form action =" http :// www.nds.rub.de">
3. <input type =" submit " value =" Go">
4. </form >
5. <iframe id =" clickjacking " src =" clickjacking .html " width ="50" height ="300" scrolling ="

no" frameborder =" none ">

6. </iframe >
7. <style type =" text /css "><!--
8. # clickjacking { position : absolute ; left :7 px; top :81 px; opacity :0.0}
9. //--></ style >

Fig 2: Trustedpage.html

1. “inner.html”: Frame “google.com” (2000x2000px)
2. “clickjacking.html”: Shift the iframe with “src=inner.html” to the left
3. “trustedPage.html”: Place a transparent iframe with “src=clickjacking.html” over the “Go” button

The order of search results on Google’s search results pages is based, in part, on a comparison between three attacks.

 Table 1. Clickjacking vs. Browser Based Attack

	Google Results	Years
Cross-Site Scripting(XSS)	15,700,000	15
Cross-Site Request Forgery(CSRF)	2,870,000	11
Clickjacking	1,200,000	3

The following chart (figure 3) shows the clickjacking google results.

Fig 3: Clickjacking growth chart

Clickjacking

The Clickjacking attack was introduced by Robert Hansen and Jeremy Grossman in September 2008. This attack constructs a malicious web page to trick the user into performing unintended clicks that are advantageous for the attacker. Its propagate worms, steal confidential information passwords, cookies, send spam, delete personal mails, etc. This is very much attracted a broad attention by the security industry and the web community. Most websites still have not implemented effective protection against Clickjacking. 

This vulnerability across a variety of browsers and platforms, a Clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. Clickjacking also known as user interface redressing is one of Malicious Technique tricking users to click the button or image that will run hidden malicious script from another site. An attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the innocuous page. Thus an attacker hijacks the click to another website. That's why it is known as Clickjacking (Click+Hijacking). The possibilities for how clickjacking software could be abused are endless. 

There are a number of things that have major Web sites and companies especially alarmed. In some cases, the user may be able to recognize this immediately; in other cases, the user may be totally unaware of what took place. First is the fact the program can run on virtually any Web site without the Web site owner's knowledge or ability to stop it. Second, clickjacking can take the user to a mirror site while still making them believe they are on the Web site of the company and mine personal information, often which is freely given. Third, no browser, except the very few that are not based on graphics, is immune from clickjacking software. In addition to stealing personal data, such as bank account information, credit card information and Social Security numbers, clickjacking can also install a number of software applications on a computer without the user's knowledge. This software could be harmful viruses, spyware or adware. The latter may not be extremely harmful in nature but it often presents a big problem for computers. Browsers and Internet security software companies are working on a security patch that would help correct the situation. However, that may take some time.

Honeypots

In computer terminology, Honey Pot Systems are decoy servers or systems setup to gather information regarding an attacker or intruder into your system. It is important to remember that Honey Pots do not replace other traditional Internet security systems; they are an additional level or system. A honey pot is a computer system on the Internet that is expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. (This includes the hacker, cracker, and script kiddy). Attacker can use honeypot to harm, attack, or infiltrate other systems or organizations. Honeypots are a highly flexible security tool that can be used in a variety of different deployments.

Honey Pots can be setup inside, outside or in the DMZ of a firewall design or even in all of the locations although they are most often deployed inside of a firewall for control purposes. In a sense, they are variants of standard Intruder Detection Systems (IDS) but with more of a focus on information gathering and deception.

According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes: The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.

Microsoft Attack Surface Analyzer

The Attack Surface Analyzer beta is a Microsoft verification tool now available for independent software vendors (ISVs) and IT professionals to highlight the changes in system state, runtime parameters and securable objects on the Windows operating system. This analysis helps developers, testers and IT professionals identify increases in the attack surface caused by installing applications on a machine.

The tool takes snapshots of an organization's system and compares ("diffing") these to identify changes. The tool does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.

The tool also gives an overview of changes to the system that Microsoft considers important to the security of the platform, and it highlights these changes in the attack surface report. The Microsoft Security Development Lifecycle (SDL) requires development teams to define a given product's default and maximum attack surface during the design phase to reduce the likelihood of exploitation wherever possible. Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, Microsoft ActiveX controls, listening ports and other parameters that affect a computer's attack surface.

Read More : http://blogs.msdn.com/b/sdl/archive/2012/08/02/attack-surface-analyzer-1-0-released.aspx