Prev: Scoping Issue
Next: Determining Browser Vendor, Version, and Operating System With JavaScript
From: Bwig Zomberi on 4 Jun 2010 01:01
Hi,

Can someone explain how click jacking is done? And, provide some code.
Also, some info on countermeasures would be great.

When I do a search for this in Google, they search results get
redirected. Is Google that good?



--
Bwig Zomberi
From: Bwig Zomberi on 6 Jun 2010 14:17
Bwig Zomberi wrote:
> Hi,
>
> Can someone explain how click jacking is done? And, provide some code.
> Also, some info on countermeasures would be great.
>

This page says something about it.
http://www.grc.com/sn/notes-168.htm



--
Bwig Zomberi
From: VK on 6 Jun 2010 16:55
On Jun 6, 10:17 pm, Bwig Zomberi <zomberiMAPSONNOS...(a)gmail.com>
wrote:
> Bwig Zomberi wrote:
> > Hi,
>
> > Can someone explain how click jacking is done? And, provide some code.
> > Also, some info on countermeasures would be great.
>
> This page says something about it.http://www.grc.com/sn/notes-168.htm

Basically ClickJacking is the technique of inclining the visitor to
click a page interface element in expectation of one result and
providing some other result instead, or the declared result plus some
additional undeclared result.

The most "popular" now ClickJacking is making a nag window using CSS
that floats over a potentially interesting content. The window has [x]
Close button on it. So say user clicks on it. As it is a real
mechanical click initiated by user, popup blocker lets it go. So it is
used to open a real popup/popunder window with sponsor ads and the
like, and after that the nag screen goes away.
From: Bwig Zomberi on 10 Jun 2010 03:56
VK wrote:
> On Jun 6, 10:17 pm, Bwig Zomberi<zomberiMAPSONNOS...(a)gmail.com>
> wrote:
>> Bwig Zomberi wrote:
>>> Hi,
>>
>>> Can someone explain how click jacking is done? And, provide some code.
>>> Also, some info on countermeasures would be great.
>>
>> This page says something about it.http://www.grc.com/sn/notes-168.htm
>
> Basically ClickJacking is the technique of inclining the visitor to
> click a page interface element in expectation of one result and
> providing some other result instead, or the declared result plus some
> additional undeclared result.
>
> The most "popular" now ClickJacking is making a nag window using CSS
> that floats over a potentially interesting content. The window has [x]
> Close button on it. So say user clicks on it. As it is a real
> mechanical click initiated by user, popup blocker lets it go. So it is
> used to open a real popup/popunder window with sponsor ads and the
> like, and after that the nag screen goes away.

I am specifically worried on clickjacking in user-generated content.

http://go.theregister.com/feed/www.theregister.co.uk/2010/06/01/facebook_clickjacking_worm/

It affects sites such as Facebook and Twitter.

I plan to create some comment forms on my site. Would it be enough if I
remove iframes tags or would I have to strip all tags?


--
Bwig Zomberi
From: Gordon on 10 Jun 2010 08:36
On Jun 10, 8:56 am, Bwig Zomberi <zomberiMAPSONNOS...(a)gmail.com>
wrote:
> VK wrote:
> > On Jun 6, 10:17 pm, Bwig Zomberi<zomberiMAPSONNOS...(a)gmail.com>
> > wrote:
> >> Bwig Zomberi wrote:
> >>> Hi,
>
> >>> Can someone explain how click jacking is done? And, provide some code..
> >>> Also, some info on countermeasures would be great.
>
> >> This page says something about it.http://www.grc.com/sn/notes-168.htm
>
> > Basically ClickJacking is the technique of inclining the visitor to
> > click a page interface element in expectation of one result and
> > providing some other result instead, or the declared result plus some
> > additional undeclared result.
>
> > The most "popular" now ClickJacking is making a nag window using CSS
> > that floats over a potentially interesting content. The window has [x]
> > Close button on it. So say user clicks on it. As it is a real
> > mechanical click initiated by user, popup blocker lets it go. So it is
> > used to open a real popup/popunder window with sponsor ads and the
> > like, and after that the nag screen goes away.
>
> I am specifically worried on clickjacking in user-generated content.
>
> http://go.theregister.com/feed/www.theregister.co.uk/2010/06/01/faceb...
>
> It affects sites such as Facebook and Twitter.
>
> I plan to create some comment forms on my site. Would it be enough if I
> remove iframes tags or would I have to strip all tags?
>
> --
>   Bwig Zomberi

Stripping all <script> tags and tags that allow inline content such as
iframes should cover most cases. You'd be far better doing it server
side though, as client side validation with javascript is easily
turned off.
 |  Next  |  Last
Pages: 1 2
Prev: Scoping Issue
Next: Determining Browser Vendor, Version, and Operating System With JavaScript