Web Admin Blog Real Web Admins. Real World Experience.


New 0Day Browser Exploit: Clickjacking – OWASP AppSec NYC 2008

This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway.  Here's my notes from the semi-restricted presentation.

Jeremiah started off with a brief introduction on what clickjacking is.  In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits.  The problem affects all of the different browsers except something like lynx.  The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.  It's a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.  With this exploit, once you're on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.  "A normal user wouldn't have any idea of what is going on.  People in this audience may see something a little different from what they would expect and you would definitely see the results in the page's source code."  Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.  "It makes it easier in many ways, but you do not need it."  Use lynx to protect yourself and don't do dynamic anything.  You can "sort of" fill out forms and things like that.  The exploit requires DHTML.  Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page.  Each click by the user equals a clickjacking click so something like a flash game is perfect bait. The issue and fix will probably be originally released on http://ihackcharities.org.

My Analysis: It sounds like the exploit basically creates a frame that is hidden underneath the main content frame that a user is seeing.  The main content could be a flash game or any sort of incentive to keep a user clicking.  All of the clicks that the user is making are used to click on content in the hidden frame. Again, just my speculation based on the information provided by RSnake and Jeremiah above.

Comments (15) Trackbacks (19)
  1. Very interesting! Thanks for writing it up Josh.

  2. This makes no sense.. if you’re on a malicious page already, what’s the point of this “attack”? What does it allow the attacker to do that they can’t already do? So they make you “click on links” that you didn’t intend to. Oooooh, not like they can’t just redirect you to the destination of the link anyway.

  3. @kats – The problem is the same problem with most browser attacks like XSS. What is a “malicious page”? It is very easy to embed malicious code in a “friendly” page in a number of ways. XSS vulnerabilities in forums and such are popular, as are even banner ads (banner ads nowadays usually allow HTML, JavaScript, Flash, and other ways to jack a user).

    Besides, how can you trust a site? You came to this site and interacted it with enough to leave a comment. Are you sure it didn’t hijack your browser while you were here and do something to you? Probably not.

  4. Ok guys, so, supposedly the NoScript dude has a fix to this. (Assuming you have FF and NoScript installed) You would go to Tools, Add-ons, Extensions, NoScript, Preferences, and then the Plugins tab.
    Check off “Forbid ” and (according to the NoScript maintainer) you should be 100% protected.

  5. @zmjjmz – Thanks for the tip! Now, since the actual exploit hasn’t been published and this is a guess, we probably can’t say that NoScript will work for sure against the Grosssman clickjacking thing till there’s disclosure, but it can’t hurt. I’ve loaded up NoScript, I’ll see how much it messes with my normal Web experience.

  6. Oh, although I stand semi-corrected – in rsnake’s blog entry on clickjacking Grossman has a comment saying that NoScript will “prevent most of the really bad clickjacking PoC, not 100%, which should be good enough to limit most risk”. Cool! And someone commenting on ZDNet has a further setting he claims does make it 100%, checking the Plugins|Forbid

  7. Is there any proof of concept page ??

  8. This attack is caused by Flash’s ability to capture mouse events and keystrokes while not focused on the flash container. It is entirely Adobe’s fault and it is part of their recent enhancements for better advertisements. (GRRR)

    To recreate the attack:

    Create two layers, on the top layer, place a small flash app that captures keystrokes and mouse events. When the browser attempts to leave the page, redirect the page to a site that will serve the page with your Flash interceptor on top.

    Adobe is dumb, this is an obvious attack, and I’m sure the actual attack is more complicated and less discoverable.

  9. Arshan Dabirsiaghi played with it a bit overnight and actually demonstrated a bit of the exploit in his “Building and Stopping Next Generation XSS Worms” presentation. The demo page was located at http://i8jesus.com/stuff/clickjacking/test1.html and appears to still be active as of this posting. This is just a demo of how the exploit works and is not weaponized in any way. It uses some JavaScript and CSS, although Grossman and RSnake made it very clear that this exploit could be performed without any JavaScript.

    kats, the idea here is that you can be clicking around on what appears to be a completely legitimate website (say a cool new flash game) and all the while your clicks are hitting other links without your knowledge. Here’s an example. You go to bankofamerica.com and log in to check your balance. Then you go to coolnewflashgame.com and start playing around. All you see is the flash game that keeps you clicking. In the background, you’re clicking “transfer money”, “yes, I mean my life savings out of my savings account”, “submit”, “confirmed, please take all of my money”. General consensus is that I can get you to do pretty much anything I want in about 4-5 clicks. You’ll eventually get bored of my cool flash game and move along, never knowing that you just sent me your life savings.

  10. The problem with the ‘Bank of America’ example, is to send any money anywhere requires actually entering text into specific fields on the bank page. Even if the security was lax enough to hold history of prior amounts that youve entered, and to what accounts youve transfered to, how will it send any amount, to a location of the exploiters choice? With the present information supplied, the worst it seems it can do is pay my phone company again after I just paid them. Inconvenient, yes, but not crippling or insurmountable a problem.

    Is there any further Ideas of how this is a threat? So far, it seems to be a more insidious pop-up/under.

  11. Found an even better example of clickjacking by Tod over at BreakingPoint Systems:


    In this example, if you are logged into your MySpace account, two clicks will change your profile to public. Thanks for the great example Tod!

    Yeah, I agree that the Bank of America example is not a completely realistic or feasible one, but it was an attempt to illustrate the concept and not an actual attack. Bank of America has session timeouts and other security features that make these types of attacks extremely difficult with them.

    Probably the simplest solution here is that if you own a site that you worry about your customers getting clickjacked on, just put some simple framebuster script on there. If you break the site out of the iframe, then there is no way for this attack to work.

  12. Not to mention if you really went into it you could stack multiple frames on top of each other that would limit ramdom clicking to perform a series of clicks. For instance preventing you from following through with the save changes click until the everyone click was done first.

  13. Sounds like a great way to rack up adwords, or other advertising, or traffic exchange clicks. Using this that way would not harm the users at all, it would just make money/gain traffic for the site owner. Still malicious, just not towards users.

  14. Clickjacking, simply put, is stealing mouse cursor clicks from users. In this type of attack, the malicious user is able to take control of the links that a user may connect to while they are within a malicious domain

Leave a comment