"ClickJacking"

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I went to the ClickJacking 20-Questions session yesterday at OWASP:
 
Essentially if your web page is in the same frame as another page you
can slide them under your buttons/URLS using DHTML such that when the
user is clicking on your link, they instead really are clicking on
some random place on a web page of your choice. This process is
essentially invisible to the end user.

The difficult thing is finding out what to do with this (i.e. you have
to look at gmail's interface and see if you can get them to do
anything with just clicks - like set up a filter using CSRF first,
then click "OK" to get all the user's email!)

So that's what it is. Seems real enough to me, although the name is
gag-worthy. Rsnake says to "Use Lynx." One typical attack for a
process that required lots of buttons to be clicked would be a flash
game where people clicked a lot to shoot or something. Or perhaps a
"hot or not".

You don't need Javascript to do this so noscript isn't going to help
you (but it does make life easier). Not sure if HTML Email clients are
vuln, but they might be.

Anyways, I'm giving a talk today at 4pm on "Corruption". If for
whatever reason you don't want to see the talk (which includes a
picture of a giraffe), there's another good talk going on at the same
time slot by Chris Eng on how to crack custom crypto in session keys
of web apps. Chris Eng and Kevin Dunn (now both at Veracode) are the
best people I've ever seen at this sort of wacky stuff, so it's worth
a viewing!

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI25/CtehAhL0gheoRAlX1AJwM06TmrX5uahrlq1LdtF/3PdpPkgCeLJDy
E2+MLsoKkH+E6DGVk+UGEWI=
=TdBI
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave