New trends in Internet attacks: Clickjacking in detail

Abstract

While the complexity of web applications and their functionality continually increase, so do the number of opportunities for an attacker to launch successful attacks against a web application's users. In this thesis we investigate and describe clickjacking in great detail. To our knowledge, this work represent the first systematic scientific approach to assess clickjacking that also consider the attack's social consequences for users' security through an experiment and survey. We address the appearance and transparency of a clickjacking attack and present four proof of concept clickjacking attacks. Our work show how very simplistic code can be used to launch powerful clickjacking attacks. Additionally, we suggest a selection of scenarios that describe functionality likely prone to clickjacking attacks, and evaluate their impact. Our proof of concept code introduce a stateful clickjacking attack able to hijack sequences of clicks from a visitor of an attacker web page, while the functionality of the attacker web page is fully intact. In general, this shows that attackers can create fully functional web pages where possibly all clicks from a visiting user can be used for malicious purposes, while the attacker web page is updated on every interaction. Our work indicate that launching an invisible clickjacking attack indeed is possible, and many users misinterpret such an attack as unsuccessful clicks. In our experiment 4 out of 5 participants were clickjacked from a harmless attack, and a sheer 1 out of 4 noticed activity out of the ordinary while being attacked. We also show that even participants that believe themselves to be security-aware when browsing the Internet are prone to clickjacking attacks. Today no web browsers offer default protection against clickjacking attacks and scientific research on the topic is sparse. This work aims to raise the awareness of clickjacking attacks.