Presentation is loading. Please wait.

Presentation is loading. Please wait.

Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Published byAlana Shutt Modified over 9 years ago

Similar presentations

Presentation on theme: "Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University"— Presentation transcript:

1 Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University http://adamdoupe.com

2 Adam Doupé, Security and Vulnerability Analysis Would you click this button?

3 Adam Doupé, Security and Vulnerability Analysis ClickJacking In a clickjacking attack a user is lured into clicking a button that is not associated with the page displayed by the browser –Example: clicking on harmless "Download free screensaver" button a on page on site A will actually become a click on "Like Button" on Facebook The attack, also called "UI redressing," is performed by using overlapping transparent frames –Stacking order: z-index: –Transparency in Firefox: opacity: –Transparency in IE filter:alpha(opacity= ) 3

4 Adam Doupé, Security and Vulnerability Analysis ClickJacking Example Clickjacking Times Clickjacking Example Press this button for an iPhone 4

5 Adam Doupé, Security and Vulnerability Analysis ClickJacking Example 5 Press Here! Z-level: 2 Transparent Z-level: 1 Opaque

6 Adam Doupé, Security and Vulnerability Analysis Frame Busting Code body { display:none;} if (self == top) { document.getElementsByTagName("body")[0].style.display = 'block'; } else { top.location = self.location; } From: Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites, July 2010 6

7 Adam Doupé, Security and Vulnerability Analysis HTTP Headers X-Frame-Options HTTP response header –DENY This page cannot be framed –SAMEORIGIN Only pages from the same origin may frame this page –ALLOW-FROM Only allow this specific URI to fame this page https://www.owasp.org/index.php/Clickjacking _Defense_Cheat_Sheet

8 Adam Doupé, Security and Vulnerability Analysis Summary Need to be wary of how attacker can trick a user to accidentally take action on your web application Clickjacking is related to CSRF: both attacks allow an attacker to perform actions on your behalf

Download ppt "Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University"

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
– Officiating Management Software

– Officiating Management Software
Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
More frames in XHTML Please use speaker notes for additional information!

More frames in XHTML Please use speaker notes for additional information!
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Social media is sharing information with others What if this information ends up in the wrong hands?

Social media is sharing information with others What if this information ends up in the wrong hands?
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Ethics CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Ethics CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Cross Site Request Forgery CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1.

(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1.
Clickjacking: Attacks and Defenses Lin-Shung Huang, Alexander Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon University.

Clickjacking: Attacks and Defenses Lin-Shung Huang, Alexander Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon University.
The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

The Hacker Mindset CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.

New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.
Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.

Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.
CM143 - Web Week 2 Basic HTML. Links and Image Tags.

CM143 - Web Week 2 Basic HTML. Links and Image Tags.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Similar presentations

Ads by Google