Even More Advanced Clickjacking

Thu, 27 Nov 2008 17:18:27 GMT
by pdp

Clickjacking is one of these types of attacks which are incredibly simplistic to perform, yet very powerful in today's web-driven world. In this post I would like to draw you attention to one more technique that can be used to perform successful clickjacking.

Btw, I released a couple of POCs that illustrate how the clickjacking attack for Flash works. Soon after that, Adobe released a patch. However, to my surprise my POCs still work on the latest Flash player and browser versions. Can someone verify this? I suspect that the patch is not effective when dealing with overlaying iframes, which is exactly what my POCs are about.

Basically the browser slowly becomes a quite powerful graphical environment. This is due to two relatively new features such as the canvas and support for SVG (Simply Vector Graphic). Interestingly enough, SVG is not so simple. Actually, with the help of SVG you can do very advanced UI redressing. Check the following article for examples and brief description of how to do SVG effects for HTML content: SVG Effects For HTML Content.

Essentially, we can not only obfuscate the page that we want to clickjack but also apply funky effects to it that will totally redress the site's UI and even the browser's chrome. Now if you remember, once upon a time we were able to spawn chromeless windows. Funky! Of course, the side effect was that anybody was able to redress a pop-up to look like a system window, etc. Eventually, we've dropped the support for chromeless windows because of the security implications. However, as usual, every new problem is a well forgotten old problem, so now with the help of SVG we can do practically the same to an extend.

There you go. SVG + clipPaths | masks | filters will result into even more advanced UI redress attacks. If we mix them with powerful AJAX interfaces, which are so responsive to interaction that the user no longer needs to click on a submit button in order to make a change to his session, we end up with a total disaster.

Archived Comments

blemblem
Yeah, web becomes more powerfull :) and it is the reason why we should believe in web development :)
sirdarckcatsirdarckcat
attacker 3 works on latest flash version. attacker 1,2 are not working, flash succefully blocks the click. greetz!!
sirdarckcatsirdarckcat
nevermind, attack3 is also not working
pdppdp
really? I just tested it again on a fresh install.
xellxell
Didn't worked here with a fresh install.
sirdarckcatsirdarckcat
My version is 10.0.12.36 http://www.adobe.com/products/flash/about/ Greetz!!
AA
SVG stands for Scalable Vector Graphic.
holimanholiman
Regarding "cool" new client side feature-rich UI possibilities, what's your take on javafx and silverlight (2.0)? They seem to be pretty suitable for UI-redressing. I have not looked into it them (yet), but definitely plan to.
pdppdp
yes, definitely. UI redressing is quite old technique. actually you can apply it to pretty much everything you can imagine.