Monday, July 26, 2010

About Clickjacking - Security Testing

What is clickjacking ?

The attack works like this: the attacker first creates an HTML page that included an iframe sourced to a legitimate site, but he doesn’t just display the top left 200x200 pixels. Instead, he positions and sizes the iframe and other page elements so that only the pixels of a specific control, such as a button, of the victim page are visible. The attacker then presents this partial iframe control in a completely different context from its original context in order to trick users into pressing it.

Clickhijacking.html

1. Make a HTML file using below code and save with an html extension Or execute attached html file named "Gowall_Clickjacking.html".

html

body

h1>Hello World

iframe src="http://www.google.com/" height="200px" width="200px" /

/body

/html

2. Execute saved html file by clicking on it.

3. Observe that Google.com website is loaded in iframe in web page.

google website is loaded in iframe in web page.

For More information of attack visit:

1)http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx

2)http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

3)http://www.sectheory.com/clickjacking.htm

If page is displayed in the iFrame then site is vulnerable to clickjacking and if the target page load with as normal page in browser then it is not vulnerable.

--> We should also check all the pages of application whether they set the top.location javascript as shown below code or not. If not then those pages are vulnerable.

Prevention :

There are some techniques exit to prevent clickjacking for the website. For more information visit

1)http://usablelayout.com/articles/automatically-break-out-iframe

2)https://blogs.sans.org/appsecstreetfighter/2009/10/15/adoption-of-x-frame-options-header/

Some known site like gmail dosn't allow their page to be loaded in iFrame which prenvents from clickjacking attack: I have attached the gmail script named 'Gmail_Clickhijacking.html' execute it and oberve the behaviour.


Posted by at
Labels:

2 comments:

  1. amit773April 27, 2011 at 5:17 PM

    Hi trupti
    Amit here from Goa iam graphic + web designer but i also want to learn software testing can u tell me some books which i can refer i like 2 do self study
    bye
    my blog :http://amit773.blogspot.com/

    ReplyDelete
  2. Trupti JethvaApril 30, 2011 at 3:01 PM

    Hi Amit,

    "The Art of Software Testing" is good book for testing.

    If you need any help let me know.

    Thanks,
    Trupti

    ReplyDelete

Subscribe to: Post Comments (Atom)