Clickjacking is a technique that can be used to trick users into performing unintended actions on a website by formatting a web page so that the victim clicks on concealed links, typically hidden within an IFRAME. However, in comparison to other browser-based attacks such as XSS (Cross-site Scripting) and CSRF (Cross-site Request Forgery), Clickjacking has hitherto been regarded as a limited attack technique in terms of consequences for the victim and the scenarios in which it can be used. During this talk I intend to demonstrate that this assumption is incorrect, and that today’s Clickjacking techniques can be extended to perform powerful new attacks that can affect any web application.
This talk will cover the basics of Clickjacking, quickly moving on to more powerful, and newly developed, techniques. The presentation will explore further ways in which a user can be tricked into interacting with a victim site and how these can lead to attacks such as injecting data into an application (bypassing all current CSRF protections) and the extraction of data from websites without the user’s knowledge. The demo will show several cross-browser techniques, and newly released browser-specific vulnerabilities in Internet Explorer, Firefox and Safari/Chrome which can be used to take full control of a web application.
I will also be demonstrating and releasing a new tool that allows for easy point-and-click creation of multi-step Clickjacking attacks on any web application, by visually selecting the links, buttons, fields and data to be targeted. The tool will highlight the need for improved Clickjacking defences in both browsers and web applications.
Speaker: Paul Stone