Clickjacking Demystified

I've recently commented on the controversy surrounding the Clickjacking talk that was to be given by Jeremiah Grossman and Robert 'RSnake' Hansen at the OWASP USA 2008 conference, which was pulled at the last minute due to a request from Adobe. At the time, I discussed my concerns that the best and the brightest would soon step forward to reveal the mystery before the vendors could beat them to the punch and it appears that this has indeed transpired. Details have been leaking out throughout the past couple of weeks and by borrowing from the work of HD Moore and Michal Zalewski, I've put together a demonstration of what is emerging as the consensus for what Jeremiah and Robert were to talk about.

---

Clickjacking Demo

---

HD did most of the heavy lifting but I'll take this opportunity to break down what is happening here.

What is Clickjacking?
Clickjacking is a social engineering attack, whereby a victim is tricked into clicking on one or more hidden links on a page. When the victim clicks on links of the attacker's choosing they are performing some action that they didn't intend to do, but which benefits the attacker. In the demo you're simply adding a Google News Alert for 'Zscaler' to your profile but this same approach could be used for a variety of attacks such as forcing a user to reset their password, transfer funds, post content, etc.

How Does the Demo Work?
The demonstration above has the following components:

• IFRAME - While no data is traversing between domains, the attacker is convincing the victim that they are looking at content from one domain (e.g. Zscaler), while in reality the browser is interacting with another domain (e.g. Google). This is accomplished by opening the ultimate target in an iFRAME and obfuscating the content, while the visible content is layered overtop and displayed on the main page itself.
  
• Layering - In order to ensure that interaction (e.g. mouse clicks) affects the hidden target page, elements are layered on top of one another. In the demo, the 'Click Here' button has been given a z-index value of '-10'. This ensures that while the ultimate target may not be visible due to obfuscation (see below), mouse clicks will actually interact with the 'Create Alert' button on the Google News page
  
• Obfuscation - While the full Google News page has been rendered by the victim's browser, it is not visible as the opacity value of the iFRAME element containing the page has been set to '0'.
  

To summarize the demo, while it may appear that you are clicking on a blue 'Click Here' button, you are actually clicking on a hidden 'Create Alert' button on the Google News page. Assuming that you have already authenticated to Google within the same browser instance, that one single click will add a Google News alert for 'Zscaler' to your profile. The demonstration does not require JavaScript, which was highlighted by Jeremiah and Robert as a reason why this attack was particularly malicious. This particular demonstration required nothing more than HTML and CSS - something that virtually all browsers support.

I have no doubt that when the details are finally revealed, that Jeremiah and Robert will have a few more tricks up their sleeves to raise the bar on this issue to an even higher risk level but I'm confident that the basis of the attack is now public. It appears that Jeremiah will reveal full details of clickjacking during a keynote at the Hack in the Box conference in Malaysia on October 29th.

- michael