Robert “RSnake” Hansen and Jeremiah Grossman were to present at OWASP AppSec NY 2008. Unfortunately, their presentation involving clickjacking was effectively canceled at the request of the vendor Adobe. In addition to Adobe, RSnake and Grossman have discussed the vulnerability with Microsoft and Mozilla. OWASP ended up having a clickjacking 20-Questions session which basically outlined the timeline of events and high level concepts of what was going on.
Clickjacking, as described Grossman, is a browser vulnerability exploitation that gives “an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.” Dave Aitel adds a little more detail when he wrote to insecure.org:
Essentially if your web page is in the same frame as another page you can slide them under your buttons/URLS using DHTML such that when the user is clicking on your link, they instead really are clicking on some random place on a web page of your choice. This process is essentially invisible to the end user.
Clickjacking is a well-known issue and isn’t really anything new. The decision to do a presentation came about because RSnake and Grossman felt clickjacking was severely under appreciated and largely undefended. They had hoped they could begin to change that perception. The presentation was to consist of demonstrating the potential attacks along with some proof of concept (PoC) code and real working exploits. The problem was, to quote RSnake, “None of the issues we found relating to the browser were particularly easy to fix, it turns out.” Please read RSnake’s post, “Clickjacking” and Gossman’s post “(Cancelled) / Clickjacking – OWASP AppSec Talk.” The posts outline their decision to cancel along with additional details. Editorial Note: If you are interested at all in security, start reading both RSnake’s and Grossman’s blogs. Their posts are always very informative.
Ryan Naraine of ZDNet posted “Clickjacking: Researchers raise alert for scary new cross-browser exploit” and included this great quote:
I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it’s indeed “very, freaking scary” and “near impossible” to fix properly.
The news about clickjacking is not a news flash. Even news about the cancellation, RSnake and Grossman posted over ten days ago. The OWASP NYC AppSec 2008 Conference ended yesterday having run from from Sept 22nd – 25th 2008. What is new is that Giorgio Maone wrote Ryan Naraine concerning how NoScript can help. Clickjacking being “very, freaking scary” and “near impossible” to fix properly, sounds like another problem getting a bit more press in the US right now. All the more reason that while waiting for a patch, folks need a solution today. NoScript has can help. To quote Maone:
I had access to detailed information about how this attack works and I can tell you the following:
- It’s really scary
- NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
- For 100% protection by NoScript, you need to check the “Plugins|Forbid <iframe>” option.
Finally, some good news. And that, my friend, is what makes it a news flash.
