SpeakerAuthorsAbstractSince being introduced by Robert Hansen and Jeremiah Grossman in 2008 [1], the Web attacks which are summarized under the term "Clickjacking" have received considerable attention. In consequence, server-driven countermeasures, namely framebusting [2] and the X-frames option header [3] have been developed and deployed. However, these currently available countermeasures fall short in non-trivial situations. All currently utilized techniques have in common, that they rely on the prevention of framing. This is problematic, as there a numerous situations, in which sites have to enable other sites to frame their content (e.g., mash-up components or Web widgets). Furthermore, Hunag & Jackson [4] have demonstrated that similar attacks can also be conducted using pop-under windows. Also, Zalewski did the same using an attack vector based on page-navigation [5].
[1] Robert Hansen, Jeremiah Grossman, “Clickjacking,” Dec. 2008. [Online]. [2] G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson, “Busting frame busting: a study of clickjacking vulnerabilities at popular sites,” in in IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010), 2010. [3] Mozilla Corporation, “The X-Frame-Options response header”, 2010. [Online]. [4] Lin-Shung Huang and Collin Jackson, "Clickjacking Attacks Unresolved", 2011, [Online]. [5] Michael Zalewski, "X-Frame-Options is worth less than you think", 2011, [Online]. |
Presentations >