Wanted: A click jacking demo

B

Bwig Zomberi

Hi,

Can someone explain how click jacking is done? And, provide some code.
Also, some info on countermeasures would be great.

When I do a search for this in Google, they search results get
redirected. Is Google that good?
 
V

VK

This page says something about it.http://www.grc.com/sn/notes-168.htm

Basically ClickJacking is the technique of inclining the visitor to
click a page interface element in expectation of one result and
providing some other result instead, or the declared result plus some
additional undeclared result.

The most "popular" now ClickJacking is making a nag window using CSS
that floats over a potentially interesting content. The window has [x]
Close button on it. So say user clicks on it. As it is a real
mechanical click initiated by user, popup blocker lets it go. So it is
used to open a real popup/popunder window with sponsor ads and the
like, and after that the nag screen goes away.
 
B

Bwig Zomberi

VK said:
This page says something about it.http://www.grc.com/sn/notes-168.htm

Basically ClickJacking is the technique of inclining the visitor to
click a page interface element in expectation of one result and
providing some other result instead, or the declared result plus some
additional undeclared result.

The most "popular" now ClickJacking is making a nag window using CSS
that floats over a potentially interesting content. The window has [x]
Close button on it. So say user clicks on it. As it is a real
mechanical click initiated by user, popup blocker lets it go. So it is
used to open a real popup/popunder window with sponsor ads and the
like, and after that the nag screen goes away.

I am specifically worried on clickjacking in user-generated content.

http://go.theregister.com/feed/www.theregister.co.uk/2010/06/01/facebook_clickjacking_worm/

It affects sites such as Facebook and Twitter.

I plan to create some comment forms on my site. Would it be enough if I
remove iframes tags or would I have to strip all tags?
 
G

Gordon

Basically ClickJacking is the technique of inclining the visitor to
click a page interface element in expectation of one result and
providing some other result instead, or the declared result plus some
additional undeclared result.
The most "popular" now ClickJacking is making a nag window using CSS
that floats over a potentially interesting content. The window has [x]
Close button on it. So say user clicks on it. As it is a real
mechanical click initiated by user, popup blocker lets it go. So it is
used to open a real popup/popunder window with sponsor ads and the
like, and after that the nag screen goes away.

I am specifically worried on clickjacking in user-generated content.

http://go.theregister.com/feed/www.theregister.co.uk/2010/06/01/faceb...

It affects sites such as Facebook and Twitter.

I plan to create some comment forms on my site. Would it be enough if I
remove iframes tags or would I have to strip all tags?

Stripping all <script> tags and tags that allow inline content such as
iframes should cover most cases. You'd be far better doing it server
side though, as client side validation with javascript is easily
turned off.
 
R

Richard Cornford

Stripping all <script> tags and tags that allow inline content
such as iframes should cover most cases.

Intrinsic event attributes would also have to be removed. Probably
along with STYLE attributes and elements (and LINKs that import
external style sheets) so IE's - expression - extension to CSS could
not be employed.

It is probably easier to do what some other sites do an provide a
limited set of alternative 'mark-up' symbols, say - [p] - for an
opening paragraph tag, and transform those into the HTML mark-up that
will be used, with everything that is not in that (small) set of
symbols appropriately escaped/entified (so things like '<' converted
to '&lt;') so that any mark-up it may contain will not be recognised
as such by the browser.
You'd be far better doing it server side though, as client side
validation with javascript is easily turned off.

Yes, attempting to sanitize user input only on the client is a waste
of effort.

Richard.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
474,077
Messages
2,570,569
Members
47,206
Latest member
MalorieSte

Latest Threads

Top