ClickJacking Deep BlackHat?
- Thread starter litenup
- Start date
Gwendoleea
Junior Member
- Sep 18, 2008
- 135
- 187
This sounds to me like what happens to my screen sometimes. I use Flock and I have my "flock toolbar" where the bookmark bar is and sometimes I sweat TG that someone is going over my bookmark icons cause they move and I know I am not moving them and sometimes one of them totally disappears! Like when BHW was down ( last week?) due to a possible hacker.. My BHW Icon disappeared as well! I have no idea why and then somehow it was back after I started up my puter again. Perhaps this is the kind of stuff they are talking about?
«ó«ô»ò» Lurk «ó«ô»ò»
Newbie
- May 16, 2008
- 33
- 6
Probably something like this (not really new).....
Maybe something new. Kinda hope it is
Code:
http://www.planb-security.net/notclickjacking/iframetrick.htmlMaybe something new. Kinda hope it is
Whisker
Senior Member
- Dec 26, 2007
- 841
- 1,335
Can you elaborate? How does it "take over your browser" that doesn't really give me any kind of technical understanding whatsoever. Sounds like cross domain RPC or iframing to me.
Last edited:
foxler
Regular Member
- Mar 7, 2008
- 279
- 163
Have no knowledge of how it works but heres how I think it work.
I don't think itself, it takes over your browser but judging by the example lurk posted it hides some sort of frame and makes its transparency to clear so when someone clicks on a link or anywhere on the page the framed hidden page is really in front of the real page your clicking on so I guess you could be tricked into pressing yes to a popup that ask if you really want to install the app.
- Oct 22, 2007
- 616
- 303
Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.This is working with ie8 and ff3 and is not something like a "traditional" exploit...Initially they wanted to make the code public here :
but given the danger they postponed OWASP
One of the topic is:
Get Ric*h or Die Try*ing - Mak*ing Money on The W*eb, The Black Hat Way
there is a slide show here that mention a few black hat methods :
-at 57/67 there is a mention of BHW
Code:
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_ConferenceOne of the topic is:
Get Ric*h or Die Try*ing - Mak*ing Money on The W*eb, The Black Hat Way
there is a slide show here that mention a few black hat methods :
-at 57/67 there is a mention of BHW
Code:
http://www.slideshare.net/jeremiahgrossman/black-hat-08072008?src=embed
It's got nothing to do with CS, and gr33n hit the nail on the head. I think it's pretty scary actually. The latest NoScript versions warn you about possible CJ attempts, but I wonder how much they actually catch. This isn't your usual daily half-assed IE exploit. Mind where you go and what you click if you're logged in to anything you care about.
Very interesting video........
One breif sentance that was said in the video "Java Script makes things easier to hover under the mouse". So if you think about flash games where where you use the mouse to move a character. What you have is the flash identifying the mouse and its movement over the screen. Now this stands to reason why they took this to Adobe first and they was so concerned about it! So basically if a mouse click area occupies 4 pixels (2x2) (now I am not technical so I dont know if that is correct) then the flash game can use one of those pixels as a link. So when you are clicking the game to... lets say 'Fire' it is programmed to make the first click not only 'Fire' but also follow a link.
As stated in the video the same effect could also be achieved by dhtml/JS and probably AJAX.
With regards to making the user complete a process, quite simple using screen scraping and writing the script to a work flow rather than just a single click.
Now after thinking there is another possability. And that could by to map the X/Y of the location you want the user to click so that and onclick action creates a subsequent click on the same page at the location specified.
I maybe talking total BS, but all of the above are totally doable!
What do you think?
One breif sentance that was said in the video "Java Script makes things easier to hover under the mouse". So if you think about flash games where where you use the mouse to move a character. What you have is the flash identifying the mouse and its movement over the screen. Now this stands to reason why they took this to Adobe first and they was so concerned about it! So basically if a mouse click area occupies 4 pixels (2x2) (now I am not technical so I dont know if that is correct) then the flash game can use one of those pixels as a link. So when you are clicking the game to... lets say 'Fire' it is programmed to make the first click not only 'Fire' but also follow a link.
As stated in the video the same effect could also be achieved by dhtml/JS and probably AJAX.
With regards to making the user complete a process, quite simple using screen scraping and writing the script to a work flow rather than just a single click.
Now after thinking there is another possability. And that could by to map the X/Y of the location you want the user to click so that and onclick action creates a subsequent click on the same page at the location specified.
I maybe talking total BS, but all of the above are totally doable!
What do you think?
wakkaoaka
BANNED
- Sep 14, 2008
- 1,113
- 788
That ebay thing was quite worrying, perhaps they could find a way to take as much money as they want just by making you bid on their auction using your paypal account or other payment system that has your credit card already in it. Or maybe a simple site with a donation button, force them to click on that, and somehow force them to type in their paypal email and password. Im sure there is someway to steal a hell of a lot of money... I agree with omfg, this is not good at all D: