New 0Day Browser Exploit: Clickjacking – OWASP AppSec NYC 2008
This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway. Here’s my notes from the semi-restricted presentation.
Jeremiah started off with a brief introduction on what clickjacking is. In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening. “A normal user wouldn’t have any idea of what is going on. People in this audience may see something a little different from what they would expect and you would definitely see the results in the page’s source code.” Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this. “It makes it easier in many ways, but you do not need it.” Use lynx to protect yourself and don’t do dynamic anything. You can “sort of” fill out forms and things like that. The exploit requires DHTML. Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait. The issue and fix will probably be originally released on http://ihackcharities.org.
My Analysis: It sounds like the exploit basically creates a frame that is hidden underneath the main content frame that a user is seeing. The main content could be a flash game or any sort of incentive to keep a user clicking. All of the clicks that the user is making are used to click on content in the hidden frame. Again, just my speculation based on the information provided by RSnake and Jeremiah above.
September 25th, 2008 at 9:50 am
[…] exactly is Clickjacking? According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with […]
September 25th, 2008 at 2:05 pm
Very interesting! Thanks for writing it up Josh.
September 25th, 2008 at 6:24 pm
[…] a little more information about this on the Web Admin blog but details are still a bit sketchy. The biggest problem is that it seems to effect everyone using […]
September 25th, 2008 at 8:51 pm
This makes no sense.. if you’re on a malicious page already, what’s the point of this “attack”? What does it allow the attacker to do that they can’t already do? So they make you “click on links” that you didn’t intend to. Oooooh, not like they can’t just redirect you to the destination of the link anyway.
September 26th, 2008 at 2:46 am
[…] OWASP 参加过半公开性演示的人透露,这个漏洞非常紧急,将影响到所有浏览器,而且它和 JavaScript […]
September 26th, 2008 at 3:23 am
[…] http://www.webadminblog.com/index.php/2008/09/24/new-0day-browser-exploit-clickjacking-owasp-appsec-… […]
September 26th, 2008 at 5:05 am
[…] 跨浏览器攻击漏洞 Clickjacking , 最近开始被广泛报道,据说还能引起恐慌 (这里、这里、这里 和 这里)。 […]
September 26th, 2008 at 9:56 am
@kats – The problem is the same problem with most browser attacks like XSS. What is a “malicious page”? It is very easy to embed malicious code in a “friendly” page in a number of ways. XSS vulnerabilities in forums and such are popular, as are even banner ads (banner ads nowadays usually allow HTML, JavaScript, Flash, and other ways to jack a user).
Besides, how can you trust a site? You came to this site and interacted it with enough to leave a comment. Are you sure it didn’t hijack your browser while you were here and do something to you? Probably not.
September 26th, 2008 at 2:28 pm
Ok guys, so, supposedly the NoScript dude has a fix to this. (Assuming you have FF and NoScript installed) You would go to Tools, Add-ons, Extensions, NoScript, Preferences, and then the Plugins tab.
Check off “Forbid ” and (according to the NoScript maintainer) you should be 100% protected.
September 26th, 2008 at 2:46 pm
@zmjjmz – Thanks for the tip! Now, since the actual exploit hasn’t been published and this is a guess, we probably can’t say that NoScript will work for sure against the Grosssman clickjacking thing till there’s disclosure, but it can’t hurt. I’ve loaded up NoScript, I’ll see how much it messes with my normal Web experience.
September 26th, 2008 at 3:00 pm
Oh, although I stand semi-corrected – in rsnake’s blog entry on clickjacking Grossman has a comment saying that NoScript will “prevent most of the really bad clickjacking PoC, not 100%, which should be good enough to limit most risk”. Cool! And someone commenting on ZDNet has a further setting he claims does make it 100%, checking the Plugins|Forbid
September 26th, 2008 at 4:05 pm
Is there any proof of concept page ??
September 26th, 2008 at 6:30 pm
[…] OWASP 参加过半公开性演示的人透露,这个漏洞非常紧急,将影响到所有浏览器,而且它和 JavaScript […]
September 26th, 2008 at 6:43 pm
[…] to reports from the conference, the issue is indeed zero-day, affects all the major browsers and has nothing […]
September 26th, 2008 at 7:09 pm
This attack is caused by Flash’s ability to capture mouse events and keystrokes while not focused on the flash container. It is entirely Adobe’s fault and it is part of their recent enhancements for better advertisements. (GRRR)
To recreate the attack:
Create two layers, on the top layer, place a small flash app that captures keystrokes and mouse events. When the browser attempts to leave the page, redirect the page to a site that will serve the page with your Flash interceptor on top.
Adobe is dumb, this is an obvious attack, and I’m sure the actual attack is more complicated and less discoverable.
September 26th, 2008 at 7:54 pm
Arshan Dabirsiaghi played with it a bit overnight and actually demonstrated a bit of the exploit in his “Building and Stopping Next Generation XSS Worms” presentation. The demo page was located at http://i8jesus.com/stuff/clickjacking/test1.html and appears to still be active as of this posting. This is just a demo of how the exploit works and is not weaponized in any way. It uses some JavaScript and CSS, although Grossman and RSnake made it very clear that this exploit could be performed without any JavaScript.
kats, the idea here is that you can be clicking around on what appears to be a completely legitimate website (say a cool new flash game) and all the while your clicks are hitting other links without your knowledge. Here’s an example. You go to bankofamerica.com and log in to check your balance. Then you go to coolnewflashgame.com and start playing around. All you see is the flash game that keeps you clicking. In the background, you’re clicking “transfer money”, “yes, I mean my life savings out of my savings account”, “submit”, “confirmed, please take all of my money”. General consensus is that I can get you to do pretty much anything I want in about 4-5 clicks. You’ll eventually get bored of my cool flash game and move along, never knowing that you just sent me your life savings.
September 26th, 2008 at 10:26 pm
The problem with the ‘Bank of America’ example, is to send any money anywhere requires actually entering text into specific fields on the bank page. Even if the security was lax enough to hold history of prior amounts that youve entered, and to what accounts youve transfered to, how will it send any amount, to a location of the exploiters choice? With the present information supplied, the worst it seems it can do is pay my phone company again after I just paid them. Inconvenient, yes, but not crippling or insurmountable a problem.
Is there any further Ideas of how this is a threat? So far, it seems to be a more insidious pop-up/under.
September 26th, 2008 at 10:57 pm
Found an even better example of clickjacking by Tod over at BreakingPoint Systems:
http://www.planb-security.net/notclickjacking/iframetrick.html
In this example, if you are logged into your MySpace account, two clicks will change your profile to public. Thanks for the great example Tod!
Yeah, I agree that the Bank of America example is not a completely realistic or feasible one, but it was an attempt to illustrate the concept and not an actual attack. Bank of America has session timeouts and other security features that make these types of attacks extremely difficult with them.
Probably the simplest solution here is that if you own a site that you worry about your customers getting clickjacked on, just put some simple framebuster script on there. If you break the site out of the iframe, then there is no way for this attack to work.
September 27th, 2008 at 12:26 am
[…] todo, además alerta a los usuarios de cualquier navegador web, con unos simples códigos, se puede engañar a cualquier […]
September 27th, 2008 at 12:38 am
Not to mention if you really went into it you could stack multiple frames on top of each other that would limit ramdom clicking to perform a series of clicks. For instance preventing you from following through with the save changes click until the everyone click was done first.
September 27th, 2008 at 5:22 am
Terrible!
September 27th, 2008 at 12:47 pm
[…] OWASP 参加过半公开性演示的人透露,这个漏洞非常紧急,将影响到所有浏览器,而且它和 JavaScript […]
September 27th, 2008 at 12:59 pm
Sounds like a great way to rack up adwords, or other advertising, or traffic exchange clicks. Using this that way would not harm the users at all, it would just make money/gain traffic for the site owner. Still malicious, just not towards users.
September 29th, 2008 at 8:58 pm
[…] ذات صلة: الأول الثاني الثالث […]
October 1st, 2008 at 1:06 pm
[…] But there is a small overview and explanation of the issue: In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening. “A normal user wouldn’t have any idea of what is going on. People in this audience may see something a little different from what they would expect and you would definitely see the results in the page’s source code.” Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.(Source: webadminblog.com) […]
October 10th, 2008 at 5:21 pm
[…] el 88 y tal como parece más lógico), aunque sí conocemos su forma de funcionamiento. En este post hay algunas especualaciones que pueden parecer más o menos lógicas sobre su funcionamiento, […]
October 17th, 2008 at 11:15 pm
[…] Clickjacking, simply put, is stealing mouse cursor clicks from users. In this type of attack, the malicious user is able to take control of the links that a user may connect to while they are within a malicious domain. […]
October 17th, 2008 at 11:26 pm
[…] Clickjacking, simply put, is stealing mouse cursor clicks from users. In this type of attack, the malicious user is able to take control of the links that a user may connect to while they are within a malicious domain. […]
October 18th, 2008 at 1:02 am
[…] Clickjacking, simply put, is stealing mouse cursor clicks from users. In this type of attack, the malicious user is able to take control of the links that a user may connect to while they are within a malicious domain. […]
October 21st, 2008 at 10:26 pm
[…] Clickjacking, simply put, is stealing mouse cursor clicks from users. In this type of attack, the malicious user is able to take control of the links that a user may connect to while they are within a malicious domain. […]
November 13th, 2008 at 9:17 pm
[…] Adobe 0-day Browser Exploit […]
May 11th, 2009 at 8:48 am
Clickjacking, simply put, is stealing mouse cursor clicks from users. In this type of attack, the malicious user is able to take control of the links that a user may connect to while they are within a malicious domain
October 23rd, 2012 at 12:55 am
[…] to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with […]
May 8th, 2017 at 7:24 am
[…] OWASP 参加过半公开性演示的人透露,这个漏洞非常紧急,将影响到所有浏览器,而且它和 JavaScript […]