Saturday, December 20, 2008

Clickjacking: Attack, Defense and Proof of Concept

Clickjacking, the latest of the seemingly endless attacks concocted by security researchers and crackers where unsuspecting visitors of a website are forced to click on invisible buttons and execute scripts, program, malware to steal passwords, cookies, listen to you , even activate your webcam to see what you're doing.

Almost presented by researchers at OWASP (Open Web Application Security Project) and also presented at the Hack in the Box security conference in KL.

For users, it's so dangerous that you'll never know what hit you just by clicking your mouse on a clickjacker's website.

Vulnerable browsers to Clickjacking: ALL (Internet Explorer, Opera, Google Chrome, Firefox, Safari)

Clickjacking Countermeasure: Firefox with NoScript add-on.

The only thing that will protect you from a clickjacking website is Firefox with NoScript Add-on, something I've been using be default when browsing the Internet. Just don't set NoScript to "Allow Scripts Globally" for it's useless defense.

For security awareness seminars, I always remind people refrain from visiting untrusted websites but it's hard for them to actually determine which sites are fine to access.

Later, I will test various clickjacking proof of concept codes/scripts to analyze, but not to be one of the miscreants.

No comments:

Post a Comment