Clickjacking(Clickjacking)vulnerabilities technology insider-vulnerability warning-the black bar safety net

ID MYHACK58:62200820672
Type myhack58
Reporter 佚名
Modified 2008-10-14T00:00:00


Source:IT Expert network

Clickjacking is OWASP_NYC_AppSec_2008_Conference a confidential topic, the following are some of the attacks described in:

When you visit a malicious website, the attacker can control your browser to some link access, this vulnerability affects almost all browsers and all versions of Flash and other browser-related third-party software, unless you use lynx, a class of characters the browser.

This vulnerability with JavaScript-independent, even if you close the browser the JavaScript function is also powerless. In fact this is the browser working principle of a defect. A malicious website could let you in without the knowledge of the circumstances click on any link, any button or on the Site any thing.

The vulnerability used to DHTML, use an anti-frame code can protect you from cross-site attacks, but the attacker can still force you to click any links. You do any clicks are directed to a malicious link, so, those Flash Games will bear the brunt.

Recently foreign Safety researchers have released the vulnerability to the attack examples, as well as some of the details, this attack is the use of CSS style sheet of the page rendering function with IFRAME frame a frame page is a phishing Web attacks. This attack involves web design related tips, the steps are:

  1. In the third-party web site first with an IFRAME introduces a need to attack the page,will this the introduction of the framework for the page length and width is set to the entire browser window size.

  2. In a web page using a CSS filter, the whole page with a white filter mask.

  3. Use span or div to design a layer of fake a form Submit button, input box or links, and then use a CSS style sheet set the layer on the page in the position, covered live need to hijack the Page button, input box or links.

An attacker using this method you can make phishing page to induce the user in not aware of the case, the completion of some of the attacks on WEB applications and sensitive operation.

Vulnerability to hazards:

The attacker can make a fine fishing web page, let users unknowingly controlled camera, or the completion of the password change, online banking transfers and other malicious operation, to the user resulting in huge loss.