1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ClickJacking Deep BlackHat?

Discussion in 'BlackHat Lounge' started by litenup, Sep 26, 2008.

  1. litenup

    litenup Junior Member

    Joined:
    Mar 6, 2008
    Messages:
    125
    Likes Received:
    252
    Occupation:
    Trying to graduate from being a noob
    Location:
    Pacific Northwest
    Just saw this article about 'Clickjacking'

    Here's a few xerpts

    The Fix?


    That's pretty much the whole article but here's the page

    Code:
    http://blogs.zdnet.com/security/?p=1972
    Appreciate anyone's thoughts on this...and any ideas.
     
  2. yuppy

    yuppy Regular Member

    Joined:
    Apr 1, 2008
    Messages:
    234
    Likes Received:
    36
    Clickjacking = CSing no? or something different?

    It reads like CSing, but they dont seem to understand how it works.


    Why would you want a click, without the CS
     
  3. Whisker

    Whisker Moderator Staff Member Moderator Premium Member

    Joined:
    Dec 26, 2007
    Messages:
    994
    Likes Received:
    1,322
    Sounds like cookie stuffing described by someone who has no working knowledge of the internet.
     
  4. litenup

    litenup Junior Member

    Joined:
    Mar 6, 2008
    Messages:
    125
    Likes Received:
    252
    Occupation:
    Trying to graduate from being a noob
    Location:
    Pacific Northwest
    Now that pretty funny if its only cookie stuffing. Thought it might be something a little heavier than that.
     
  5. Gwendoleea

    Gwendoleea Junior Member

    Joined:
    Sep 18, 2008
    Messages:
    121
    Likes Received:
    183
    Occupation:
    Everything! but Mom first.
    Location:
    Inside the Matrix
    This sounds to me like what happens to my screen sometimes. I use Flock and I have my "flock toolbar" where the bookmark bar is and sometimes I sweat TG that someone is going over my bookmark icons cause they move and I know I am not moving them and sometimes one of them totally disappears! Like when BHW was down ( last week?) due to a possible hacker.. My BHW Icon disappeared as well! I have no idea why and then somehow it was back after I started up my puter again. Perhaps this is the kind of stuff they are talking about?
     
  6. «ó«ô»ò» Lurk «ó«ô»ò»

    «ó«ô»ò» Lurk «ó«ô»ò» Newbie

    Joined:
    May 16, 2008
    Messages:
    33
    Likes Received:
    6
    Occupation:
    Black hatter
    Location:
    TRS-80 Level II BASIC
    Home Page:
    Probably something like this (not really new).....

    Code:
    http://www.planb-security.net/notclickjacking/iframetrick.html
    Maybe something new. Kinda hope it is :)
     
  7. Whisker

    Whisker Moderator Staff Member Moderator Premium Member

    Joined:
    Dec 26, 2007
    Messages:
    994
    Likes Received:
    1,322
    Can you elaborate? How does it "take over your browser" that doesn't really give me any kind of technical understanding whatsoever. Sounds like cross domain RPC or iframing to me.
     
    Last edited: Sep 27, 2008
  8. foxler

    foxler Regular Member

    Joined:
    Mar 7, 2008
    Messages:
    279
    Likes Received:
    159
    Have no knowledge of how it works but heres how I think it work.
    I don't think itself, it takes over your browser but judging by the example lurk posted it hides some sort of frame and makes its transparency to clear so when someone clicks on a link or anywhere on the page the framed hidden page is really in front of the real page your clicking on so I guess you could be tricked into pressing yes to a popup that ask if you really want to install the app.
     
  9. gr33n

    gr33n Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 22, 2007
    Messages:
    501
    Likes Received:
    243
    Gender:
    Male
    Location:
    Ro
    Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.This is working with ie8 and ff3 and is not something like a "traditional" exploit...Initially they wanted to make the code public here :
    Code:
    http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
    
    but given the danger they postponed OWASP
    One of the topic is:
    Get Ric*h or Die Try*ing - Mak*ing Money on The W*eb, The Black Hat Way

    there is a slide show here that mention a few black hat methods :
    -at 57/67 there is a mention of BHW
    Code:
    http://www.slideshare.net/jeremiahgrossman/black-hat-08072008?src=embed
    
     
    • Thanks Thanks x 2
  10. foxler

    foxler Regular Member

    Joined:
    Mar 7, 2008
    Messages:
    279
    Likes Received:
    159
    gr33n, shit dude... blackhatworld.com is used as a reference how people co*okie stuff to make money on slide 57 :(

    No bueno
     
  11. Dmore

    Dmore Newbie

    Joined:
    Sep 18, 2008
    Messages:
    25
    Likes Received:
    7
    Occupation:
    Web Developer
    Location:
    California
    Home Page:
    Here is the video presentation on clickjacking, it quite interesting. The video is about 20 min long. http://video.google.com/videoplay?docid=-1023253423246814538&hl=en

    Enjoy,

    Dmore
    "The Stinking Capitalist Pig"
     
    • Thanks Thanks x 3
  12. lewi

    lewi Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 5, 2008
    Messages:
    2,309
    Likes Received:
    818
    thanks for the video its long but worth it i think :)
     
  13. yuppy

    yuppy Regular Member

    Joined:
    Apr 1, 2008
    Messages:
    234
    Likes Received:
    36
    GR33N, great post. i didnt know someone really did that stupid office space scheme, and LOFUCKINGL about the QVC thing
     
  14. omfg

    omfg Newbie

    Joined:
    Aug 11, 2008
    Messages:
    26
    Likes Received:
    10
    It's got nothing to do with CS, and gr33n hit the nail on the head. I think it's pretty scary actually. The latest NoScript versions warn you about possible CJ attempts, but I wonder how much they actually catch. This isn't your usual daily half-assed IE exploit. Mind where you go and what you click if you're logged in to anything you care about.
     
  15. iamsgf

    iamsgf Regular Member

    Joined:
    Oct 6, 2008
    Messages:
    307
    Likes Received:
    268
    Very interesting video........

    One breif sentance that was said in the video "Java Script makes things easier to hover under the mouse". So if you think about flash games where where you use the mouse to move a character. What you have is the flash identifying the mouse and its movement over the screen. Now this stands to reason why they took this to Adobe first and they was so concerned about it! So basically if a mouse click area occupies 4 pixels (2x2) (now I am not technical so I dont know if that is correct) then the flash game can use one of those pixels as a link. So when you are clicking the game to... lets say 'Fire' it is programmed to make the first click not only 'Fire' but also follow a link.

    As stated in the video the same effect could also be achieved by dhtml/JS and probably AJAX.

    With regards to making the user complete a process, quite simple using screen scraping and writing the script to a work flow rather than just a single click.

    Now after thinking there is another possability. And that could by to map the X/Y of the location you want the user to click so that and onclick action creates a subsequent click on the same page at the location specified.

    I maybe talking total BS, but all of the above are totally doable!

    What do you think?
     
  16. wakkaoaka

    wakkaoaka BANNED BANNED

    Joined:
    Sep 14, 2008
    Messages:
    1,113
    Likes Received:
    782
    That ebay thing was quite worrying, perhaps they could find a way to take as much money as they want just by making you bid on their auction using your paypal account or other payment system that has your credit card already in it. Or maybe a simple site with a donation button, force them to click on that, and somehow force them to type in their paypal email and password. Im sure there is someway to steal a hell of a lot of money... I agree with omfg, this is not good at all D: