This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway.\u00a0 Here’s my notes from the semi-restricted presentation.<\/p>\n
Jeremiah started off with a brief introduction on what clickjacking is.\u00a0 In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits.\u00a0 The problem affects all of the different browsers except something like lynx.\u00a0 The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.\u00a0 It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.\u00a0 With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.\u00a0 “A normal user wouldn’t have any idea of what is going on.\u00a0 People in this audience may see something a little different from what they would expect and you would definitely see the results in the page’s source code.”\u00a0 Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.\u00a0 “It makes it easier in many ways, but you do not need it.”\u00a0 Use lynx to protect yourself and don’t do dynamic anything.\u00a0 You can “sort of” fill out forms and things like that.\u00a0 The exploit requires DHTML.\u00a0 Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page.\u00a0 Each click by the user equals a clickjacking click so something like a flash game is perfect bait. The issue and fix will probably be originally released on http:\/\/ihackcharities.org.<\/p>\n
My Analysis:<\/strong> It sounds like the exploit basically creates a frame that is hidden underneath the main content frame that a user is seeing.\u00a0 The main content could be a flash game or any sort of incentive to keep a user clicking.\u00a0 All of the clicks that the user is making are used to click on content in the hidden frame. Again, just my speculation based on the information provided by RSnake and Jeremiah above.<\/p>\n","protected":false},"excerpt":{"rendered":" This talk was rumored to have been cancelled at a vulnerable vendors (Adobe) request, but Jeremiah Grossman and Robert Hansen decided to do parts of the talk anyway.\u00a0 Here’s my notes from the semi-restricted presentation. Jeremiah started off with a brief introduction on what clickjacking is.\u00a0 In a nutshell, it’s when you visit a malicious […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[188,127,189,4],"tags":[141,76,128,114,143,142,139,140,12,138,622],"class_list":["post-90","post","type-post","status-publish","format-standard","hentry","category-featured","category-owasp-appsec-nyc-2008","category-popular","category-web-app-sec","tag-0day","tag-application","tag-appsec","tag-browser","tag-clickjacking","tag-exploit","tag-grossman","tag-hansen","tag-owasp","tag-rsnake","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-1s","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/90","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=90"}],"version-history":[{"count":3,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/90\/revisions"}],"predecessor-version":[{"id":129,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/90\/revisions\/129"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=90"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=90"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=90"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}