Clickjacking, a subclass of “User Interface Redressing” attacks, is a threat against web applications arising from the combination of ambient authority and multiple browsing contexts available in many web user agent programs. Users can be tricked into clicking on obscured user interface elements of an application and in so doing initiate actions against their will, such as adding an attacker to a victim’s social graph, promoting the attacker’s content on a social network, or sending a payment to the attacker. Some technical countermeasures exist in web browsers, but offer incomplete protection or prohibit useful and legitimate constructs such as IFRAMEs in third-party browsing contexts.
This paper describes a method for combining randomization of user interface elements with statistical analysis of first click success rates across a population to provide an effective and adaptive method of detecting and responding to clickjacking campaigns. Though not a general purpose solution to clickjacking, the method requires no modifications to existing web user agents and is applicable to many of the most widely deployed and commonly attacked use cases for which no other mitigations currently exist. The technique can also be effectively combined with client-side approaches to enhance the effectiveness of both.
Download PDF: http://www.thesecuritypractice.com