ClickJacking
Download
Report
Transcript ClickJacking
CLICKJACKING
ATTACKS AND DEFENSES
BACKGROUND
Clickjacking is a
malicious technique of
tricking a Web user into
clicking on something
different to what the user
perceives they are
clicking on.
Get Free
IPad
Like
EXISTING
CLICKJACKING
ATTACKS
1. Compromising target display integrity
2. Compromising pointer integrity
3. Compromising temporal integrity
COMPROMISING TARGET
DISPLAY INTEGRITY
1. Hiding the target element
Get Free
IPad
Like
1. Opacity value and Z-index vale
2. Decoy un-clickable
http://robertnyman.com/css3/pointerevents/pointer-events.html
2. Partial overlays
1. Cover receipt and amount
3. Cropping
1. Crop the target element to show a piece of
the element
COMPROMISING
POINTER INTEGRITY
1. CursorJacking
1. Display a fake cursor
2. Hide the default cursor
http://koto.github.com/blog-kotowicz-netexamples/cursorjacking/
2. Strokejacking
1. Blinking cursor
Invisible
sensitive
element
Visible fake
input field
COMPROMISING
TEMPORAL INTEGRITY
Manipulate UI element after the user decided to
click, but before the actual click occurs.
EXISITING ANTICLICKJACKING DEFENSE
1. User Confirmation
1. Degrades user experience
2. UI Randomization
1. Not robust
3. Opacity Overlay Policy
1. Too strong
4. Framebusting
1. Some application need to be embedded
2. Can be evaded
EXISITING ANTICLICKJACKING DEFENSE
5. Visibility Detection on Click
1. Can only address to hiding element strategy
6. UI delay for cross-origin interactions
1. User experience
No method to address to point integrity attacks
NEW ATTACK
VARIANTS #1
1. Attack Technique: Cursor spoofing
2. Attack Success: 43%
NEW ATTACK
VARIANTS #2
1. Attack Technique: Popup Window
2. Attack Success: 47%
3. Framebusting
NEW ATTACK
VARIANTS #3
1. Attack Technique: Cursor Spoofing + Fastpaced Clicking
2. Attack Success: 98%
INCONTEXT DEFENSE
Design Goals
1. Does not require user prompts
2. Provides point integrity protection
3. Supports target elements that require
arbitrary third-party embedding
4. Does not break existing sites
INCONTEXT DEFENSE
Ensuring Visual Integrity
1. Find the Sensitive Element
1. Application indicate which UI element is
sensitive
Dynamic OS-level screenshot comparison
INCONTEXT DEFENSE
Ensuring visual integrity of pointer
• Remove cursor customization
- Attack success: 43% -> 16%
INCONTEXT DEFENSE
Ensuring visual integrity of pointer
• Freeze screen around target on pointer entry
- Attack success (margin=20px): 4%
INCONTEXT DEFENSE
• Mute the speaker when a user interacts
with sensitive elements
- Attack success: 43%
- Attack success (Mute + Freeezing): 2%
INCONTEXT DEFENSE
Ensuring visual integrity of pointer
• Lightbox effect around target on pointer entry
- Attack success: 43%
- Attack success ( Lightbox + Freezing + Mute): 2%
INCONTEXT DEFENSE
No programmatic cross-origin keyboard
focus changes
INCONTEXT DEFENSE
Ensuring Temporal Integrity
1. UI delay after pointer entry
2. Point re-entry on a newly visible sensitive element
1. When a sensitive UI element first appears or is moved to
a location where it will overlap with the current location of
the pointer, user needs to re-entry
3. Padding area around sensitive element
EVALUATION METHOD
1. Recruit people from Amazon to do tests
2. Total of 3521 participants, 2064 of which are
valid participants
3. The evaluation results are reliable.
4. Only evaluate three attacks, not large-scale.
COMPARISON
1. Measurement
1. The USENIX paper provides more attacking scenarios
and defense cases.
2. The AsiaCCS paper presents a first, large-scale attempt
to demonstrate that clickjacking is prevalent and serious.
2. Deployment
1. Both are deployed in browser.
2. ClickIDS is a plugin, InContext can be implemented as a
plugin.
3. Introduce New Attacks?
1. The USENIX paper introduces three new attacks.
COMPARISON
4. Defense Mechanism
1. InContext is more Complete (Pointer, Cropping,
strokejacking)
2. InContext only address to elements labeled by application
itself as sensitive. Less user experience penalty
5. Evaluation
4. USENIX paper’s authors recruit people from Amazon to
evaluate InContext’ effectiveness. More accurate. But
only test a few attacks
5. The AsiaCCS uses tools to simulate users’ behaviors to
evaluate ClickIDS’s effectiveness in large scale. Large
scale, but not accurate. This method will introduce FP.
CONCLUSITON
1. The paper discussed current clickjacking
techniques and existing anti-clickjacking
defenses
2. The paper proposed three new attack variants
that can evade current defenses
3. The evaluation results show that our attacks are
highly effective (success rates 43% to 98%)
4. The paper proposed InContext defense
mechanism, which be can very effective against
clickjacking