Thursday, July 16, 2009

Clickjacking

Clickjacking is a social engineering technique where a hacker fools a victim into performing seemingly innocuous click(s) but ends up being compromised as a result of their actions.
Attended Zscaler's seminar today and was pretty impressed by the speaker's presentation and demo. He demonstrated Clickjacking and I decided to make a video of their demo page instead of building my own.
In this specific demo, I use the common tactic of inciting victims to visit a malicious page via email. The victim enters the webpage and are encouraged to click on an "innocent" button. This "innocent" button is just an image* that hides a Google "Create Alert" button underneath. Imagine the damage an actual malicious page containing hidden malicious scripts, code or actions can cause.
* Alignment of the fake button varies from browser to browser.
The high res version of this demo can be downloaded here.

No comments:

Post a Comment