1-2-3-Clickjacking
Yesterday I listened OWASP’s Podcast #1 and recall the conversation about (media buzzing) Clickjacking attacks, and I can’t agree more on a certain aspect of the conversation: attacks are becoming more simpler than ever. Just having a look at common attacks: SQL Injection attacks (if done manually) need a certain amount of SQL knowledge, XSS attacks require some Javascript knowledge, CSRF attacks require some knowledge on website functionality, while Clickjacking attacks require almost no skill.
As kuzza55 responded to the Clickjacking article on ha.ckers.org:
The term Clickjacking reminds me of all the invisible CSS/iframe overlay stuff, which seems to fit the description here (…)
With some simple CSS/Iframe code you can pull of a Clickjacking PoC under a couple of minutes. Also there are other types of web “jacking” attacks, just check out this article.
A simple way to protect websites against Clickjacking (iframed) is via some frame busting code, which can be bypassed by adding the SECURITY=restricted iframe attribute under IE and by using the methods that coderr mentioned in this article. For users NoScript is the right protection, until (who knows) browsers do something against this web feature.
No, I don’t like IE8’s so called solution.
