[OWASP-Bangalore] Interview: Jeremiah Grossman provides more details on clickjacking attack

Ritesh Kumar Sinha RiteshKS at microland.com
Tue Oct 7 04:55:22 EDT 2008

Hi All, 

The recent "clickjacking" buzz has hit the security community at large
and famous blogs/security portals are keen to keep us excited and wait
for the disclosure (presumably after the vulnerability has been fixed,
or it could happen the way it did with Mr. Kaminsky and the DNS
vulnerability). From my limited experience it seems that the description
of the attack (sourced from various opinions spread across the
blogosphere) seems to be rather strikingly similar to CSRF/XSS or a
combination of both. Most likely a CSRF vulnerability. What bothers me
more is the abundance of hype surrounding this, which I believe is a tad
too much, with due respect to Jeremiah Grossman and Robert "RSnake"

As it is with the current state of vulnerability disclosure, the hype
generated often cause unwanted FUD in the minds of otherwise carefree

Consider a layman (a slightly more technically inclined layman, if you
will); What exactly should he be afraid of? What are the ramifications
of the vulnerability that are NOT already explained in depth with
CSRF/XSS or CSRF+XSS attacks (e.g. can do anything within the DOM(XSS,
CSRF), requires user intervention (CSRF)? 

Just my take on this. It would be great to hear what the OWASP Bangalore
chapter makes of it :)




> -----Original Message-----
> From: owasp-bangalore-bounces at lists.owasp.org [mailto:owasp-bangalore-
> bounces at lists.owasp.org] On Behalf Of owasp-bangalore-
> request at lists.owasp.org
> Sent: Monday, October 06, 2008 9:30 PM
> To: owasp-bangalore at lists.owasp.org
> Subject: OWASP-Bangalore Digest, Vol 11, Issue 5
> Send OWASP-Bangalore mailing list submissions to
> 	owasp-bangalore at lists.owasp.org
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> or, via email, send a message with subject or body 'help' to
> 	owasp-bangalore-request at lists.owasp.org
> You can reach the person managing the list at
> 	owasp-bangalore-owner at lists.owasp.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OWASP-Bangalore digest..."
> Today's Topics:
>    1. Interview: Jeremiah Grossman provides more	details on
>       clickjacking attack (Sundar N)
> ----------------------------------------------------------------------
> Message: 1
> Date: Mon, 6 Oct 2008 13:34:31 +0530
> From: "Sundar N" <suntracks at gmail.com>
> Subject: [OWASP-Bangalore] Interview: Jeremiah Grossman provides more
> 	details on clickjacking attack
> To: owasp-bangalore at lists.owasp.org
> Message-ID:
> 	<c1e982c50810060104y156bc1e1yb5afd4d89a11bf14 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> HI all Just came across this interesting interview, Hope some find it
> interesting Interview: Jeremiah Grossman provides more details on
> clickjacking attack<http://www.cgisecurity.org/2008/10/interview-
> jerem.html#>
> Little information has been provided on
> ClickJacking<http://www.securityfocus.com/news/11534>so I decided to
> go digging a little bit and talk to the source to find out
> some additional information. Here's my interview with Jeremiah
> Grossman<http://jeremiahgrossman.blogspot.com/>on Friday October 3rd.
> *How did you find this flaw exactly? Was it something you were digging
> for
> or was it by accident? *
> ClickJacking as an attack technique
> Robert<http://ha.ckers.org/blog/20080915/clickjacking/>and I
> discovered around a year and a half ago. Recently we're told we've
> been told that its been known by the browser vendors since 2002. In
> case
> the attack has been essentially underestimated and largely undefended
> by the
> web security community in general. Post
> Black Hat 2008 some research we were conducting was furthered by using
> ClickJacking, as a result we felt warranted more attention. What we
> didn't
> know didn't realize at first was that one of our proof-of-concept
> examples
> used a zero-day in an Adobe product. When we found out, because Adobe
> informed us, that's when we decided to postpone our OWASP conference
> talk.
> *Can ClickJacking reach out of the browser? *
> Clickjacking can be used to exploit just about anything between the
> browser
> walls, or perhaps more specifically, anything that is part of the DOM.
> *Are applications other than browsers affected, if so what?*
> We haven't researched that aspect of ClickJacking.
> *
> Is it likely this has been used by attackers to actively exploit
> people?*
> We believe ClickJacking may have been used by advertising click
> fraudsters,
> but we don't know for sure. Beyond that ClickJacking attacks would be
> incredibly hard for the average user to detect, and even if they did,
> it
> would be tough for them to describe.
> *Knowing that after you discuss this bad guys are going to use it to
> you
> feel it is better to still talk about it?  *
> Bad guys tend to use the attack techniques that are the easiest to
> monetize.
> While ClickJacking is somewhat trivial, they're already vested in
> attack techniques like SQL Injection until that stops working. From my
> experience in Web security, the bad guys start taking advantage of new
> techniques 12-18 months after initial disclosure if their able to
> monetize
> it will enough.
> When we discuss new attacks, it evens the playing field for everyone.
> Those
> who want to defend themselves quickly now have the information
> available to
> do so.
> *Have you received negativity from anyone for wanting to disclose
> this?*
> There has been some yes, but that's to be expected. It's impossible to
> please everyone all the time when it comes to matters of vulnerability
> disclosure. Everyone has they're preference. What we're doing is
> to
> keep the end user as our #1 priority when discussing these matters
> publicly.
> *Does this flaw still work if you're using a keyboard with no mouse? *
> Yes. If you can "click", you can be "ClickJacked".
> *Does this flaw affect other technologies such as Silverlight, Javafx,
> applets, etc? Is anything immune?*
> We are unable to say for sure, more research would need to be perform
> by
> Robert and myself, or others in the industry.
> *Do iframes offer any sort of protection? *
> No, they are one source of the problem.
> *Does this break protections for flaws such as Cross-Site Request
> Forgery? *
> Yes. Clickjacking has the potential of breaking
> CSRF<http://www.cgisecurity.com/articles/csrf-faq.shtml>token-based
> protections.
> *Boxers or briefs? *
> I prefer No Disclosure. ;)
> The fact that CSRF
> <http://www.cgisecurity.com/articles/csrf-faq.shtml>token based
> protection may be busted and that there is no clear fix for
> browser makers is sure to stir things up in the industry. Full details
> will
> be published at the HITB <https://conference.hackinthebox.org/>
> conference
> later this month. Certainly some interesting research.
> Source link: http://www.cgisecurity.org/2008/10/interview-jerem.html
> Regards,
> Sundar.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.owasp.org/pipermail/owasp-
> bangalore/attachments/20081006/8721d28c/attachment-0001.html
> ------------------------------
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> End of OWASP-Bangalore Digest, Vol 11, Issue 5
> **********************************************
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. 
Any review, re-transmission, dissemination or other use of or taking of any action in reliance upon,this information by persons or entities other than the intended recipient is prohibited. 
If you received this in error, please contact the sender and delete the material from your computer. 
Microland takes all reasonable steps to ensure that its electronic communications are free from viruses. 
However, given Internet accessibility, the Company cannot accept liability for any virus introduced by this e-mail or any attachment and you are advised to use up-to-date virus checking software. 

More information about the OWASP-Bangalore mailing list