[OWASP-Bangalore] Interview: Jeremiah Grossman provides more details on clickjacking attack

Sundar N suntracks at gmail.com
Mon Oct 6 04:04:31 EDT 2008


HI all Just came across this interesting interview, Hope some find it
interesting Interview: Jeremiah Grossman provides more details on
clickjacking attack<http://www.cgisecurity.org/2008/10/interview-jerem.html#>

Little information has been provided on
ClickJacking<http://www.securityfocus.com/news/11534>so I decided to
go digging a little bit and talk to the source to find out
some additional information. Here's my interview with Jeremiah
Grossman<http://jeremiahgrossman.blogspot.com/>on Friday October 3rd.

*How did you find this flaw exactly? Was it something you were digging for
or was it by accident? *
ClickJacking as an attack technique
Robert<http://ha.ckers.org/blog/20080915/clickjacking/>and I
discovered around a year and a half ago. Recently we're told we've
been told that its been known by the browser vendors since 2002. In any case
the attack has been essentially underestimated and largely undefended by the
web security community in general. Post
Black Hat 2008 some research we were conducting was furthered by using
ClickJacking, as a result we felt warranted more attention. What we didn't
know didn't realize at first was that one of our proof-of-concept examples
used a zero-day in an Adobe product. When we found out, because Adobe
informed us, that's when we decided to postpone our OWASP conference talk.

*Can ClickJacking reach out of the browser? *
Clickjacking can be used to exploit just about anything between the browser
walls, or perhaps more specifically, anything that is part of the DOM.

*Are applications other than browsers affected, if so what?*
We haven't researched that aspect of ClickJacking.
*
Is it likely this has been used by attackers to actively exploit people?*
We believe ClickJacking may have been used by advertising click fraudsters,
but we don't know for sure. Beyond that ClickJacking attacks would be
incredibly hard for the average user to detect, and even if they did, it
would be tough for them to describe.

*Knowing that after you discuss this bad guys are going to use it to do you
feel it is better to still talk about it?  *
Bad guys tend to use the attack techniques that are the easiest to monetize.
While ClickJacking is somewhat trivial, they're already vested in using
attack techniques like SQL Injection until that stops working. From my
experience in Web security, the bad guys start taking advantage of new
techniques 12-18 months after initial disclosure if their able to monetize
it will enough.

When we discuss new attacks, it evens the playing field for everyone. Those
who want to defend themselves quickly now have the information available to
do so.

*Have you received negativity from anyone for wanting to disclose this?*
There has been some yes, but that's to be expected. It's impossible to
please everyone all the time when it comes to matters of vulnerability
disclosure. Everyone has they're preference. What we're doing is trying to
keep the end user as our #1 priority when discussing these matters publicly.


*Does this flaw still work if you're using a keyboard with no mouse? *
Yes. If you can "click", you can be "ClickJacked".

*Does this flaw affect other technologies such as Silverlight, Javafx,
applets, etc? Is anything immune?*
We are unable to say for sure, more research would need to be perform by
Robert and myself, or others in the industry.

*Do iframes offer any sort of protection? *
No, they are one source of the problem.

*Does this break protections for flaws such as Cross-Site Request Forgery? *
Yes. Clickjacking has the potential of breaking
CSRF<http://www.cgisecurity.com/articles/csrf-faq.shtml>token-based
protections.

*Boxers or briefs? *
I prefer No Disclosure. ;)

The fact that CSRF
<http://www.cgisecurity.com/articles/csrf-faq.shtml>token based
protection may be busted and that there is no clear fix for
browser makers is sure to stir things up in the industry. Full details will
be published at the HITB <https://conference.hackinthebox.org/> conference
later this month. Certainly some interesting research.

Source link: http://www.cgisecurity.org/2008/10/interview-jerem.html

Regards,

Sundar.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-bangalore/attachments/20081006/8721d28c/attachment.html 


More information about the OWASP-Bangalore mailing list