Web Security Web Security

Introducing Clickjacking

Check out a free preview of the full Web Security course:
The "Introducing Clickjacking" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:

Mike discusses clickjacking, also known as "UI redress attack." In this technique, a user is tricked into clicking or interacting with something different than they perceived such as designing a login form to appear as a trusted online bank.

Get Unlimited Access Now

Transcript from the "Introducing Clickjacking" Lesson

>> Mike North: Clickjacking, this one's fun, I like this. Well, they're all fun, but so here's the general concept of clickjacking. So we've got our legitimate web application here on the left side. And we buy a domain that kinda looks like a legitimate domain, but if you look closely, it doesn't really start with Equihax.

[00:00:24] I mean, that's a subdomain. The real domain is com-secureblank.cc. And we create a tantalizing landing page and try to get the user to click something. And then what we do is we build an iFrame, we iFrame the original app. And we move it right on top of that button that we get the user to click on, and we can actually reduce the opacity to 0 to the point where they think they're interacting with this page, but in fact, they're interacting with the other one.

[00:00:51] They come, they click, and we've basically tricked them into performing an action into an app that we can't see. But we can sort of position in just the right spot to get the user to sort of shoot themselves in the foot. One of the most famous clickjacking attacks had to do with this page here.

[00:01:11] This is the Adobe Flash Security Settings panel. They have a web application with a very specific URL you can go to, to sort of add domains to this panel, to your global Flash settings. So you go here, and this is where you configure your plugin. They did not have clickjacking protection, so through an elaborate positioning of iFrames and things, there was a pretty issue where people were able to trick targets into opening up their Flash security settings.

[00:01:46] And then that is an attack that you can escalate pretty easily because Flash has broad privileges to execute code to occasionally even touch things on the file system. When you say give Flash access to everything, it turns out it can do a whole lot. So the category of attack this falls into is a UI redress attack.

[00:02:07] Just think of it in terms of the user thinks they're interacting with one UI, and really, they're interacting with another. You can use it to capture keystrokes as well, and the really refined clickjacking attacks, they create the illusion that your input is correctly arriving on the page that you see, not the one that you're interacting with.

[00:02:29] So they can go through the trouble of,
>> Mike North: Trying to position things and resize the iFrame, so only the input field is showing and they'll position that right on top of an existing input field. So you'll be typing, and the words will appear as you would expect, so you can get really, really clever with this stuff.