Not Clickjacking (Almost Certainly)
A couple months back, I got to thinking about how to weasel around the built-in pop up blockers for Mozilla Firefox and Microsoft Internet Explorer. I can't remember now why I started down this path, but it consumed my afternoon, and in the end I had about a dozen variations on three or so core strategies.
Since I have no fake watches or mortgages to sell, I thusly shelved it all once I was done. We couldn't think of a reasonable application for these techniques here in BreakingPoint.
Well, maybe something was in the air, because it looks like RSnake and Jeremiah Grossman were working on something similar at around the same time. Only, they were going to present their findings at OWASP this week.
Unfortunately, we can't know what the extent of their trickery is, since some vendors asked them to keep it quiet -- but it's almost certainly more devious than simply skipping around the pop up blockers.
So, in the interest of quelling any speculation on the nature of "ClickJacking," here's two or three mildly interesting examples of what it almost certainly isn't. Note, the below example links are all in an iframe from planb-security.net. So, if you have a tabbed browser, you may notice an illusion the iframe's parent window (this blog post) being replaced by the fake pop up link (in this case, example.com).
If you're in the business of speculating on what other people's findings are, then you can safely check these techniques off your list. Since they all require Javascript to work their anti-anti-pop up magic, NoScript is quite effective in preventing these attacks. Based simply on this observation, and discounting for the moment the inherent lameness of merely subverting mouse clicks, it's virtually certain Jeremiah and RSnake's stuff is much, much more interesting / dangerous.
Just an observation
Your demo exploit failed to work.
Please give it a try.
Regards.
Not quite so, Opera suffers too
By default Opera is affected like FF and IE. So it's not the demo at fault, you just circumvent the default behaviour.
If you click here.... means you left-click on it, not clicking somewhere else or right-clicking the link.
I'm not bashing Opera, I'm using it myself too, but just the really stupid remark.
It is as if someone (or a GPS) says go right at the end of the street then you'll reach such-and-such. Internet Junkie claiming: If I go left I don't get there. The GPS is faulty/the preson giving directions is wrong.
It's as simple and as stupid as that.
not very new
Franky
speculating clickjacking
Here is my speculation on what clickjacking is.
There are two parts. The first part: Hovering an invisible button so users can inadvertently click it without realizing it. The second part, executing a malicious script. The second part appears easy. It is probably just like onMousedown jacking or something like that.
The first part: hovering an invisible button. Where have I seen this before. Yes, the patched Adobe PDF. In 2006-2007, Di Paolo and Fedon disclosed the universal XSS attack. In particular, easy demos were widely circulated that injects a javascript, any javascript, to a PDF file. The attack was so powerful, Adobe patched it within a month. After the Adobe patch, the use experience of Acorbat reader changed as follows: When clicking a link inside the Acrobat Reader while reading a PDF document, a prompt box pops us to ask the user whether that link is to be fetched or not. That link, inside Adobe Acrobat Reader, is invisible or at least semi-invisible.
So here is my speculation on what clickjacking is. I speculate the RSnake and Grossman figured out how to transplant the invisible button in Acrobat to ordinary Javascript, and used it to create clickjacking. It is probably a semi-invisible button, or fully invisible button, much like the links in Acrobat. Also, RSnake and Grossman probably figured out how to suppress the pop-up warning in Acrobat. If they know how to transplant it, they probably also know how to suppress the pop-up warning.
Experts out there are better judges of whether my speculation is way off the mark. Those with expertise on the UXSS attack and the corresponding Adobe patch can follow the tip better than I ever can.
Have you noticed Adobe is closely working on patching clickjacking, while browsers are not. This is despite the claim by RSnake and Grossman that browsers should be the main party to patch it. I wonder why?
Hmm
Also they've said that the exploit has to do with dynamic HTML. That means it would have to involve dynamically adding/modifying things in the DOM for the Web page.