Showing posts with label clickjacking. Show all posts
Showing posts with label clickjacking. Show all posts

20081121

CAPTCHA-Jacking

RSnake and Jeremiah Grossman did a really good and thorough job of going over clickjacking and many different ways that it can take place. And until I sat up one night and made my own example, I didn't consider how easy and how serious it was.

Before reading on, please note two things: 1) I'm not claiming to have discovered something new, and 2) I'm not recommending a new name or anything. Rsnake and Jeremiah did all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 work and listed a whole series of things that could happen that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y admitted were not exhaustive.

However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most common way to work clickjacking is by completely hiding cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target site in a transparent (0.0 opacity) iframe over "cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 red candy-like button". A teammate and I worked through a proof of concept, though where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea was to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target site visible and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n use div's above cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 iframe to hide all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 parts you don't want. The most common example would be to have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user solve a CAPTCHA. There are plenty of sites that explain that using a CAPTCHA is a great way to eliminate XSRF and clickjacking all at once.

RSnake and Jeremiah were right - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best way to avoid clickjacking is by using framebusting code. That solves a couple of ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r problems (although because with IE you can specify a security zone for an iframe it's not bulleproof, but at least you could have noscript that warns cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y might be getting clickjacked) such as dealing with DNS binding attacks. And if users were better about using different passwords for different sites, you can always ask for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir password for sensitive actions.