Resource links for Security Now! Episode #168:
ClickJacking
Note that some or all of the Clickjacking demos may be defeated by using Firefox with NoScript installed. (Everything works under other browsers.)
- http://www.planb-security.net/notclickjacking/iframetrick.html#really
This is probably the cleanest, simplest, and easiest to understand demo of what Clickjacking is all about.
Note that you DO NOT NEED to follow the page's instructions: You do not need to be logged into MySpace or to have a MySpace account (I don't). You can simply click the first "Click here" link below the "What's really happening" headline to reduce the opacity of the covering window ... to see the MySpace content that's been hidden beneath. The second "Click here" link returns the covering window to full opacity. And either way, clicking on the "whiteout" effects the hidden MySpace contents beneath.
Also note that if you want to share this with others, this simple "snipurl" will take you there: snipurl.com/clickjack
- http://ha.ckers.org/weird/cjdivtest.html
Firefox/NoScript completely defeats this demo, but other browsers are not so fortunate.
- http://www.sectheory.com/clickjacking.htm
This is the formal report and disclosure by Robert Hansen (of SecTheory) and Jeremiah Grossman (of WhiteHat Security) of their Clickjacking development. It does a terrific job of showing how successive frames of windows are layered to employ a Clickjacking exploit.
- http://ha.ckers.org/blog/20081007/clickjacking-details/
On this page Robert Hansen (using the handle “RSnake” in the comments that following his posting) clearly and extensively enumerates the many various vulnerabilities created by many Clickjacking techniques.
- http://www.youtube.com/watch?v=gxyLbpldmuU
This YouTube video shows how a "click the jumping button" game could really be pressing hidden buttons underneath the "game" surface.
- http://www.adobe.com/support/security/advisories/apsa08-08.html
This is Adobe's security advisory advising their users about “workarounds” for “Clickjacking” exploits affecting Adobe's Flash player.