ClickJacking Deep BlackHat?

litenup

Junior Member
Joined
Mar 6, 2008
Messages
126
Reaction score
256
Just saw this article about 'Clickjacking'

Here's a few xerpts

"In a nutshell, it?s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It?s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you?re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening."

"Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this. ?It makes it easier in many ways, but you do not need it.? Use lynx to protect yourself and don?t do dynamic anything. You can ?sort of? fill out forms and things like that. The exploit requires DHTML. Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait"

The Fix?

"In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn?t give people much technical detail to go on, but it?s the best we can do right now."


That's pretty much the whole article but here's the page

Code:
http://blogs.zdnet.com/security/?p=1972

Appreciate anyone's thoughts on this...and any ideas.
 
Clickjacking = CSing no? or something different?

It reads like CSing, but they dont seem to understand how it works.


Why would you want a click, without the CS
 
Sounds like cookie stuffing described by someone who has no working knowledge of the internet.
 
Now that pretty funny if its only cookie stuffing. Thought it might be something a little heavier than that.
 
This sounds to me like what happens to my screen sometimes. I use Flock and I have my "flock toolbar" where the bookmark bar is and sometimes I sweat TG that someone is going over my bookmark icons cause they move and I know I am not moving them and sometimes one of them totally disappears! Like when BHW was down ( last week?) due to a possible hacker.. My BHW Icon disappeared as well! I have no idea why and then somehow it was back after I started up my puter again. Perhaps this is the kind of stuff they are talking about?
 
No no no it's nothing to do with cookie stuffing and it's not even related. It was going to be talked about at a security conference, but got pulled because all the big vendors got scared. The people basically take over your browser and can make you do wtf ever they want.

Theres a post about it on full disclosure.

Can you elaborate? How does it "take over your browser" that doesn't really give me any kind of technical understanding whatsoever. Sounds like cross domain RPC or iframing to me.
 
Last edited:
Can you elaborate? How does it "take over your browser" that doesn't really give me any kind of technical understanding whatsoever. Sounds like cross domain RPC or iframing to me.

Have no knowledge of how it works but heres how I think it work.
I don't think itself, it takes over your browser but judging by the example lurk posted it hides some sort of frame and makes its transparency to clear so when someone clicks on a link or anywhere on the page the framed hidden page is really in front of the real page your clicking on so I guess you could be tricked into pressing yes to a popup that ask if you really want to install the app.
 
Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.This is working with ie8 and ff3 and is not something like a "traditional" exploit...Initially they wanted to make the code public here :
Code:
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
but given the danger they postponed OWASP
One of the topic is:
Get Ric*h or Die Try*ing - Mak*ing Money on The W*eb, The Black Hat Way

there is a slide show here that mention a few black hat methods :
-at 57/67 there is a mention of BHW
Code:
http://www.slideshare.net/jeremiahgrossman/black-hat-08072008?src=embed
 
gr33n, shit dude... blackhatworld.com is used as a reference how people co*okie stuff to make money on slide 57 :(

No bueno
 
Here is the video presentation on clickjacking, it quite interesting. The video is about 20 min long. http://video.google.com/videoplay?docid=-1023253423246814538&hl=en

Enjoy,

Dmore
"The Stinking Capitalist Pig"
 
thanks for the video its long but worth it i think :)
 
GR33N, great post. i didnt know someone really did that stupid office space scheme, and LOFUCKINGL about the QVC thing
 
It's got nothing to do with CS, and gr33n hit the nail on the head. I think it's pretty scary actually. The latest NoScript versions warn you about possible CJ attempts, but I wonder how much they actually catch. This isn't your usual daily half-assed IE exploit. Mind where you go and what you click if you're logged in to anything you care about.
 
Very interesting video........

One breif sentance that was said in the video "Java Script makes things easier to hover under the mouse". So if you think about flash games where where you use the mouse to move a character. What you have is the flash identifying the mouse and its movement over the screen. Now this stands to reason why they took this to Adobe first and they was so concerned about it! So basically if a mouse click area occupies 4 pixels (2x2) (now I am not technical so I dont know if that is correct) then the flash game can use one of those pixels as a link. So when you are clicking the game to... lets say 'Fire' it is programmed to make the first click not only 'Fire' but also follow a link.

As stated in the video the same effect could also be achieved by dhtml/JS and probably AJAX.

With regards to making the user complete a process, quite simple using screen scraping and writing the script to a work flow rather than just a single click.

Now after thinking there is another possability. And that could by to map the X/Y of the location you want the user to click so that and onclick action creates a subsequent click on the same page at the location specified.

I maybe talking total BS, but all of the above are totally doable!

What do you think?
 
That ebay thing was quite worrying, perhaps they could find a way to take as much money as they want just by making you bid on their auction using your paypal account or other payment system that has your credit card already in it. Or maybe a simple site with a donation button, force them to click on that, and somehow force them to type in their paypal email and password. Im sure there is someway to steal a hell of a lot of money... I agree with omfg, this is not good at all D:
 
Back
Top