Clickjacking

[This entry was updated on November 3.]

Lately, the topic of “clickjacking” has gained popularity in discussions on the Internet. It is a new type of web attack. I decided to find out what it’s all about.

I found an online video from OWASP NYC AppSec 2008 here. In the video, Jeremiah Grossman and Robert “RSnake” Hansen reported this new vulnerability in a presentation titled “New Zero-Day Browser Exploits-–ClickJacking.” I also found a demo of this attack here.

In the videos they describe only parts of the vulnerability, but we can learn enough to gain a basic idea of what clickjacking is.

To explain, I’ll use an example. You have a web page A controlled by an attacker. A contains an IFRAME element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via cross-site scripting. The area of B will also need to be so big that the user can easily click its content. The attacker places a button in B that leads to any action he wants. Then the attacker places some buttons on page A that will attract users. The location of the buttons in B must match the buttons in A so when users appear to click a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML and does not require JavaScript, so disabling JavaScript will not help.

This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich-media Internet application today. Adobe has released a security advisory and provided a workaround.

We will continue to watch for new information about this vulnerability.

Tags: clickjacking, web