Presentation is loading. Please wait.

Presentation is loading. Please wait.

Clickjacking Attacks and Defenses.

Published byAustin Ayre Modified over 9 years ago

Similar presentations

Presentation on theme: "Clickjacking Attacks and Defenses."— Presentation transcript:

1 Clickjacking Attacks and Defenses

2 Background Clickjacking is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on. Get Free IPad Like A clickjacking site contains at least two

3 Existing Clickjacking Attacks
Compromising target display integrity Compromising pointer integrity Compromising temporal integrity Three ways of forcing user into issing input commands

4 Compromising target display integrity
Get Free IPad Hiding the target element Opacity value and Z-index vale Decoy un-clickable Partial overlays Cover receipt and amount Cropping Crop the target element to show a piece of the element Like COVER No overlapping

5 Compromising Pointer integrity
CursorJacking Display a fake cursor Hide the default cursor examples/cursorjacking/ Strokejacking Blinking cursor Invisible sensitive element Visible fake input field

6 Compromising Temporal integrity
Manipulate UI element after the user decided to click, but before the actual click occurs. Previous two sections manipulated visual context trick user into sending input to wrong UI Manipulate UI element after the user decided to click, before the actual click Double Click

7 EXISITING anti-clickjacking defense
User Confirmation Degrades user experience UI Randomization Not robust Opacity Overlay Policy Too strong Framebusting Some application need to be embedded Can be evaded 1.Facebook 2. Randomize UI layout.It’s hard for attacker to predict the location of the button Express checkout dialogAsk user to keep clicking until successuflly guessing the location 4. Javascript code guarantee top-level document

8 EXISITING anti-clickjacking defense
Visibility Detection on Click Can only address to hiding element strategy UI delay for cross-origin interactions User experience No method to address to point integrity attacks Allow rendering transparent frames, block events on these elements The length of the UI delay is clearly a tradeoff beteen the user experience penalty and protection from timing attacks There is no reason for a benign application to expect users to click a transparent element

9 New Attack Variants #1 Attack Technique: Cursor spoofing
Attack Success: 43%

10 New Attack Variants #2 Attack Technique: Popup Window
Attack Success: 47% Framebusting authorzie

11 New Attack Variants #3 Attack Technique: Cursor Spoofing + Fast- paced Clicking Attack Success: 98% Play the game with a facked cursor t Control user’s attention The game envorgage users to clock buttons as fast as poosible and the buttons aare shown at random location. Later point in the game, a like button will apear in the real curson;s position, it is highly possble user will clict it because users attention is on other buttons

12 InContext Defense Design Goals Does not require user prompts
Provides point integrity protection Supports target elements that require arbitrary third-party embedding Does not break existing sites

13 InContext Defense Ensuring Visual Integrity Find the Sensitive Element
Application indicate which UI element is sensitive Dynamic OS-level screenshot comparison Determine whether the sensitive element looks different in the page Static reference bitmap The browser draws the sensitive element on a blank surface No animated contents No good How about automated content?

14 InContext Defense Ensuring visual integrity of pointer
•  Remove cursor customization -  Attack success: 43% -> 16%

15 InContext Defense Ensuring visual integrity of pointer
•  Freeze screen around target on pointer entry -  Attack success (margin=20px): 4% Use animation to distract user from

16 InContext Defense • Mute the speaker when a user interacts
with sensitive elements -  Attack success: 43% -  Attack success (Mute + Freeezing): 2% Freezing M=20px

17 InContext Defense Ensuring visual integrity of pointer
•  Lightbox effect around target on pointer entry -  Attack success: 43% -  Attack success ( Lightbox + Freezing + Mute): 2%

18 InContext Defense No programmatic cross-origin keyboard focus changes
To stop strokejacking attacks, once the sensitive UI element acquires keyboard focus, InContext disallows programmatic changes of keyboard focus to other origins.

19 InContext Defense Ensuring Temporal Integrity
UI delay after pointer entry Point re-entry on a newly visible sensitive element When a sensitive UI element first appears or is moved to a location where it will overlap with the current location of the pointer, user needs to re-entry Padding area around sensitive element

20 Evaluation Method Recruit people from Amazon to do tests
Total of 3521 participants, 2064 of which are valid participants The evaluation results are reliable. Only evaluate three attacks, not large-scale.

21 Comparison Measurement
The USENIX paper provides more attacking scenarios and defense cases. The AsiaCCS paper presents a first, large-scale attempt to demonstrate that clickjacking is prevalent and serious. Deployment Both are deployed in browser. ClickIDS is a plugin, InContext can be implemented as a plugin. Introduce New Attacks? The USENIX paper introduces three new attacks.

22 Comparison Defense Mechanism
InContext is more Complete (Pointer, Cropping, strokejacking) InContext only address to elements labeled by application itself as sensitive. Less user experience penalty Evaluation USENIX paper’s authors recruit people from Amazon to evaluate InContext’ effectiveness. More accurate. But only test a few attacks The AsiaCCS uses tools to simulate users’ behaviors to evaluate ClickIDS’s effectiveness in large scale. Large scale, but not accurate. This method will introduce FP. Only clickable events and overlapping

23 Conclusiton The paper discussed current clickjacking techniques and existing anti-clickjacking defenses The paper proposed three new attack variants that can evade current defenses The evaluation results show that our attacks are highly effective (success rates 43% to 98%) The paper proposed InContext defense mechanism, which be can very effective against clickjacking

Download ppt "Clickjacking Attacks and Defenses."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Chapter 11 Designing the User Interface

Chapter 11 Designing the User Interface
Using PeopleSoft’s User Productivity Kit (UPK)

Using PeopleSoft’s User Productivity Kit (UPK)
Microsoft Dynamics® SL

Microsoft Dynamics® SL
Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012 Clickjacking:

Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012 Clickjacking:
USABILITY & ACCESSIBILITY IN WEB CONFERENCING TOOLS: A SIDE-BY-SIDE COMPARISON Accessing Higher Ground, 2009.

USABILITY & ACCESSIBILITY IN WEB CONFERENCING TOOLS: A SIDE-BY-SIDE COMPARISON Accessing Higher Ground, 2009.
Benchmark and Java Applet Test Scenario Presentation Outline Introduction to Benchmark Testing Procedure to create the test Benchmark Playback Results.

Benchmark and Java Applet Test Scenario Presentation Outline Introduction to Benchmark Testing Procedure to create the test Benchmark Playback Results.
ABUSING BROWSER ADDRESS BAR FOR FUN AND PROFIT - AN EMPIRICAL INVESTIGATION OF ADD-ON CROSS SITE SCRIPTING ATTACKS Presenter: Jialong Zhang.

ABUSING BROWSER ADDRESS BAR FOR FUN AND PROFIT - AN EMPIRICAL INVESTIGATION OF ADD-ON CROSS SITE SCRIPTING ATTACKS Presenter: Jialong Zhang.
Intermediate Level Course. Text Format The text styles, bold, italics, underlining, superscript and subscript, can be easily added to selected text. Text.

Intermediate Level Course. Text Format The text styles, bold, italics, underlining, superscript and subscript, can be easily added to selected text. Text.
Ch. 6 Web Page Design – Absolute Positioning, Image Maps, and Navigation Bars Mr. Ursone.

Ch. 6 Web Page Design – Absolute Positioning, Image Maps, and Navigation Bars Mr. Ursone.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Clickjacking: Attacks and Defenses Lin-Shung Huang, Alexander Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon University.

Clickjacking: Attacks and Defenses Lin-Shung Huang, Alexander Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon University.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
A graphical user interface (GUI) is a pictorial interface to a program. A good GUI can make programs easier to use by providing them with a consistent.

A graphical user interface (GUI) is a pictorial interface to a program. A good GUI can make programs easier to use by providing them with a consistent.
Chapter 7 UNDERSTANDING AND DESIGNING FORMS. Input Forms: Content and Organization Need for forms Event analysis and forms Relationship between input.

Chapter 7 UNDERSTANDING AND DESIGNING FORMS. Input Forms: Content and Organization Need for forms Event analysis and forms Relationship between input.
Creating Web Page Forms. Objectives Describe how Web forms can interact with a server-based program Insert a form into a Web page Create and format a.

Creating Web Page Forms. Objectives Describe how Web forms can interact with a server-based program Insert a form into a Web page Create and format a.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Interaction Styles Interface Widgets. What are Interaction Styles?  A Collection of interface objects and associated techniques from which an interaction.

Interaction Styles Interface Widgets. What are Interaction Styles?  A Collection of interface objects and associated techniques from which an interaction.

Similar presentations

Ads by Google