Professional Documents
Culture Documents
Attack
ClickJacking-slides Page 1
Outline
ClickJacking-slides Page 2
Lab Setup
Elgg website: www.seed-server.com
Attacker: www.attacker32.com
Defense: www.bank32.com
ClickJacking-slides Page 3
End
ClickJacking-slides Page 4
Iframe and its
Properties
ClickJacking-slides Page 5
Iframe: Inline Frame
ClickJacking-slides Page 6
Overlapping iframes
URL: http://www.attacker32.com/test1.html
ClickJacking-slides Page 7
Transparent iframe
URL: http://www.attacker32.com/test1.html
ClickJacking-slides Page 8
Features versus Security
ClickJacking-slides Page 9
End
ClickJacking-slides Page 10
Attack Using
Transparent iframe
ClickJacking-slides Page 11
Attack 1 Demo
URL: http://www.attacker32.com/
ClickJacking-slides Page 12
Attack 1: LikeJacking
Code: image_apache_server/attacker32/attack/clickjacking1.html
❖ Inside bottom1.html
ClickJacking-slides Page 13
Attack 2: Adding A Friend
Code: image_apache_server/attacker32/attack/clickjacking2.html
ClickJacking-slides Page 14
Attack 3: Deleting A Friend
Code: image_apache_server/attacker32/attack/clickjacking3.html
ClickJacking-slides Page 15
End
ClickJacking-slides Page 16
Attack Using
Small-size iframe
ClickJacking-slides Page 17
Attack 4 Demo
URL: http://www.attacker32.com/
ClickJacking-slides Page 18
Attack 4: Using Small-Size iFrame
Code: image_apache_server/attacker32/attack/clickjacking4.html
ClickJacking-slides Page 19
Attack 5: Fake Login
Code: image_apache_server/attacker32/attack/clickjacking5.html
❖ Inside fake_login.html
ClickJacking-slides Page 20
End
ClickJacking-slides Page 21
Countermeasures
ClickJacking-slides Page 22
Old Idea: Framekiller/Framebuster
❖ Example
ClickJacking-slides Page 23
X-Frame-Options Approach
❖ Options
○ X-Frame-Options: DENY
○ X-Frame-Options: SAMEORIGIN
ClickJacking-slides Page 24
ClickJacking-slides Page 25
CSP (Content Security Policy) Approach
❖ Options
ClickJacking-slides Page 26
❖ Setting CSP policy on Apache
ClickJacking-slides Page 27
End
ClickJacking-slides Page 28
Security Features
of iframe
ClickJacking-slides Page 29
Same-Origin Policy of Iframe
❖ Iframes
ClickJacking-slides Page 30
Experiment Design
ClickJacking-slides Page 31
Using Iframe to Sandbox Content
❖ Setting Sandbox
❖ Options
○ allow-same-origin
○ allow-scripts
○ allow-forms
○ allow-modals
○ allow-top-navigation
ClickJacking-slides Page 32
Sandboxing Dynamic Content
❖ Setting Sandbox
ClickJacking-slides Page 33
End
ClickJacking-slides Page 34
Summary
ClickJacking-slides Page 35
Summary
❖ Iframe, its attributes and security features
❖ Clickjacking attacks
❖ Countermeasures
ClickJacking-slides Page 36
End
ClickJacking-slides Page 37