Top

International Journal of Information Security

Published in:

13-12-2018 | Regular Contribution

You click, I steal: analyzing and detecting click hijacking attacks in web pages

Authors: Anil Saini, Manoj Singh Gaur, Vijay Laxmi, Mauro Conti

Published in: International Journal of Information Security | Issue 4/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Click Hijacking (clickjacking) is emerging as a web-based threat on the Internet. The prime objective of clickjacking is stealing user clicks. An attacker can carry out a clickjacking attack by tricking the victim into clicking an element that is barely visible or completely hidden. By stealing the victim’s clicks, an attacker could entice the victim to perform an unintended action from which the attacker can benefit. These actions include online money transactions, sharing malicious website links, initiate social networking links, etc. This paper presents an anatomy of advanced clickjacking attacks not yet reported in the literature. In particular, we propose new class of clickjacking attacks that employ SVG filters and create various effects with SVG filters. We demonstrate that current defense techniques are ineffective to deal with these sophisticated clickjacking attacks. Furthermore, we develop a novel detection method for such attacks based on the behavior (response) of a website active content against the user clicks (request). In our experiments, we found that our method can detect advanced Scalable Vector Graphics (SVG)-based attacks where most of the contemporary tools fail. We explore and utilize various common and distinguishing characteristics of malicious and legitimate web pages to build a behavioral model based on Finite State Automaton. We evaluate our proposal with a sample set of 78,000 web pages from various sources, and 1000 web pages known to involve clickjacking. Our results demonstrate that the proposed solution enjoys good accuracy and a negligible percentage of false positives (i.e., 0.28%), and zero false negatives in distinguishing clickjacking and legitimate websites.

previous article Analyzing XACML policies using answer set programming

next article Breaking MPC implementations through compression

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

The iframe element represents a nested browsing context, effectively embedding another HTML page into the current page.

Grossman, J.: Clickjacking-owasp appsec talk (2008). http://blog.jeremiahgrossman.com/2008/09/cancelled-clickjackingowasp-appsec.html. Accessed 12 Mar 2016

Hansen, R., Grossman, J.: Clickjacking (2008)

Niemietz, M.: Ui redressing: attacks and countermeasures revisited. In: CONFidence, 2011 (2011)

Stone, P.: Next generation clickjacking. media. blackhat. com/bh-eu-10/presentations. In: Stone/BlackHat-EU-2010-Stone-Next-Generation-Clickjacking-slides.pdf 3 (2010)

Vadrevu, P., Liu, J., Li, B., Rahbarinia, B., Lee, K.H., Perdisci, R.: Enabling reconstruction of attacks on users via efficient browsing snapshots (2017)

Selim, H., Tayeb, S., Kim, Y., Zhan, J., Pirouz, M.: Vulnerability analysis of iframe attacks on websites. In: Proceedings of the The 3rd Multidisciplinary International Social Networks Conference on SocialInformatics 2016, Data Science 2016, p. 45. ACM (2016)

Zalewski, M.: Dealing with ui redress vulnerabilities inherent to the current web (2009). http://lists.whatwg.org/pipermail/whatwgwhatwg.org/2008-September/016284.html. Accessed 6 Aug 2014

Zalewski, M.: Strokejacking (2010). http://seclists.org/fulldisclosure/2010/Mar/232. Accessed 11 Nov 2014

Bordi, E.: Proof of concept-cursorjacking (2010)

10.

Huang, L.-S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.: Clickjacking: Attacks and Defenses. In: USENIX Security Symposium, pp. 413–428 (2012)

11.

Vasile C., HTML5 Introduction-What is HTML5 Capable of, Features, and Resources.In: MJ Burns, Producer, & 1stWebDesigner Ltd) Retrieved May 28 (2012): 2013

12.

Lynch, P., Horton, S.: Yale C/Aim Web Style Guide. Yale Center for Advanced Instructional Media, Yale (1997)

13.

Ferraiolo, J., Jun, F., Jackson, D.: Scalable Vector Graphics (SVG) 10 Specification. iUniverse, Bloomington (2000)

14.

Eisenberg, J.D.: SVG Essentials: Producing Scalable Vector Graphics with XML. O’Reilly Media Inc., Newton (2002)

15.

Watt, A.: SVG Unleashed. Pearson Education, London (2002)

16.

Ayars, J., Bulterman, D., Cohen, A., Day, K., Hodge, E., Hoschka, P., Hyche, E., Jourdan, M., Kim, M., Kubota, K., et al.: Synchronized multimedia integration language (smil 2.0). World Wide Web Consort. Recomm. 7, 514 (2001)

17.

Mozilla Developer Network. Gecko (2011)

18.

XSS Filter Evasion Cheat Sheet: Retrieved June 20, 2013 from The Open Web Application Security Project. https://www.owasp.org/index.php (2013)

19.

Johari, R., Sharma, P.: A survey on web application vulnerabilities (sqlia, xss) exploitation and security engine for sql injection. In: 2012 International Conference on Communication Systems and Network Technologies (CSNT), pp. 453–458. IEEE (2012)

20.

Lerner, B.S., Carroll, M.J., Kimmel, D.P., La Vallee, H.Q.-D., Krishnamurthi, S.: Modeling and reasoning about dom events. In: Proceedings of the 3rd USENIX Conference on Web Application Development, pp. 1–1. USENIX Association (2012)

21.

Blatz, J.: Csrf: Attack and Defense. McAfee® Foundstone® Professional Services, White Paper (2007)

22.

Kim, S.H., Lee, S.H., Jin, S.H.: Active phishing attack and its countermeasures. Electron. Telecommun. Trends 28(3), 9–18 (2013)

23.

Kaplan, R.M., Martin, K., John, M. Finite state machine data storage where data transition is accomplished without the use of pointers. U.S. Patent 5,450,598 (1995)

24.

Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 135–144. ACM (2010)

25.

Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: WOOT, pp. 53–63 (2012)

26.

Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. IEEE Oakl. Web 2, 6 (2010)

27.

Nepomnyashy, M.: Protecting Applications Against Clickjacking with F5 LTM. SANS Institute InfoSec Reading Room (2013)

28.

Shahriar, H., Devendran, V.K., Haddad, H.: Proclick: a framework for testing clickjacking attacks in web applications. In: Proceedings of the 6th International Conference on Security of Information and Networks, pp. 144–151. ACM (2013)

29.

Aharonovsky, G.: Malicious camera spying using clickjacking (2008)

30.

Shamsi, J.A., Hameed, S., Rahman, W., Zuberi, F., Altaf, K., Amjad, A.: Clicksafe: providing security against clickjacking attacks. In: 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering (HASE), pp. 206–210. IEEE (2014)

31.

Clickjacking defense cheatsheet: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet. Accessed 15 Oct 2017

32.

Aboukhadijeh, F.: How to: spy on the webcams of your website visitors (2011)

33.

Maone, G. NoScript Firefox Extension. [software] (2006)

34.

Marini, J.: Document Object Model. McGraw-Hill Inc., New York (2002)

35.

Bibeault, B., Kats, Y.: jQuery in Action. Dreamtech Press, New Delhi (2008)

36.

Alexa internet, inc. alexa - top sites by category: (2014). http://www.alexa.com/topsites/category/Top/. Accessed 24 Dec 2014

37.

Malware domain list: (2014). http://www.malwaredomainlist.com/. Accessed 24 Dec 2014

38.

Phishtank domain list: (2014). http://www.phishtank.com/. Accessed 24 Dec 2014

39.

Mozilla foundation: (2013). https://bugzilla.mozilla.org/show_bug.cgi?id=154957. Accessed 24 Dec 2014

40.

Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83–91 (2009)CrossRef

41.

Zalewski, M.: Browser security handbook. Google Code (2010)

42.

Chebyshev, V., Unuchek, R.: Mobile malware evolution: 2013. Kaspersky Lab ZAOs SecureList 24, 15347 (2014)

43.

Unuchek, R.: Svpeng android malware targets google play with fake credit card window. http://securelist.com/blog/incidents/63746/latestversion-of-svpengtargets-users-in-us/. Accessed Nov 2017

44.

Fernandes, E., Chen, Q.A., Paupore, J., Essl, G., Halderman, J.A., Mao, Z.M., Prakash, A.: Android ui deception revisited: Attacks and defenses. In: International Conference on Financial Cryptography and Data Security, pp. 41–59. Springer (2016)

45.

Close, T.: Web-key: mashing with permission. In: Proceedings of Web, vol. 2. Citeseer (2008)

46.

Kristol, D.M.: Http cookies: standards, privacy, and politics. ACM Trans. Internet Technol. (TOIT) 1(2), 151–198 (2001)CrossRef

47.

Kotowicz, K.: Cursorjacking again (2012). http://blog.kotowicz.net/2012/01/cursorjacking-again.html. Accessed 6 Sept 2014

48.

Ross, D., Gondrom, T.: Http header field x-frame-options (2013)

49.

Tang, S., Dautenhahn, N., King, S.T.: Fortifying web-based applications automatically. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 615–626. ACM (2011)

50.

Chandra, R., Kim, T., Shah, M., Narula, N., Zeldovich, N.: Intrusion recovery for database-backed web applications. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 101–114. ACM (2011)

Title: You click, I steal: analyzing and detecting click hijacking attacks in web pages
Authors: Anil Saini
Manoj Singh Gaur
Vijay Laxmi
Mauro Conti
Publication date: 13-12-2018
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 4/2019
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-018-0423-3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 4/2019

Double-spending prevention for Bitcoin zero-confirmation transactions

SpyDetector: An approach for detecting side-channel attacks at runtime

SSPFA: effective stack smashing protection for Android OS

Breaking MPC implementations through compression

Analyzing XACML policies using answer set programming

Mobile botnets meet social networks: design and analysis of a new type of botnet

Premium Partner