nach oben

International Journal of Information Security

Erschienen in:

13.12.2018 | Regular Contribution

You click, I steal: analyzing and detecting click hijacking attacks in web pages

verfasst von: Anil Saini, Manoj Singh Gaur, Vijay Laxmi, Mauro Conti

Erschienen in: International Journal of Information Security | Ausgabe 4/2019

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Click Hijacking (clickjacking) is emerging as a web-based threat on the Internet. The prime objective of clickjacking is stealing user clicks. An attacker can carry out a clickjacking attack by tricking the victim into clicking an element that is barely visible or completely hidden. By stealing the victim’s clicks, an attacker could entice the victim to perform an unintended action from which the attacker can benefit. These actions include online money transactions, sharing malicious website links, initiate social networking links, etc. This paper presents an anatomy of advanced clickjacking attacks not yet reported in the literature. In particular, we propose new class of clickjacking attacks that employ SVG filters and create various effects with SVG filters. We demonstrate that current defense techniques are ineffective to deal with these sophisticated clickjacking attacks. Furthermore, we develop a novel detection method for such attacks based on the behavior (response) of a website active content against the user clicks (request). In our experiments, we found that our method can detect advanced Scalable Vector Graphics (SVG)-based attacks where most of the contemporary tools fail. We explore and utilize various common and distinguishing characteristics of malicious and legitimate web pages to build a behavioral model based on Finite State Automaton. We evaluate our proposal with a sample set of 78,000 web pages from various sources, and 1000 web pages known to involve clickjacking. Our results demonstrate that the proposed solution enjoys good accuracy and a negligible percentage of false positives (i.e., 0.28%), and zero false negatives in distinguishing clickjacking and legitimate websites.

Vorheriger Artikel Analyzing XACML policies using answer set programming

Nächster Artikel Breaking MPC implementations through compression

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

The iframe element represents a nested browsing context, effectively embedding another HTML page into the current page.

Grossman, J.: Clickjacking-owasp appsec talk (2008). http://blog.jeremiahgrossman.com/2008/09/cancelled-clickjackingowasp-appsec.html. Accessed 12 Mar 2016

Hansen, R., Grossman, J.: Clickjacking (2008)

Niemietz, M.: Ui redressing: attacks and countermeasures revisited. In: CONFidence, 2011 (2011)

Stone, P.: Next generation clickjacking. media. blackhat. com/bh-eu-10/presentations. In: Stone/BlackHat-EU-2010-Stone-Next-Generation-Clickjacking-slides.pdf 3 (2010)

Vadrevu, P., Liu, J., Li, B., Rahbarinia, B., Lee, K.H., Perdisci, R.: Enabling reconstruction of attacks on users via efficient browsing snapshots (2017)

Selim, H., Tayeb, S., Kim, Y., Zhan, J., Pirouz, M.: Vulnerability analysis of iframe attacks on websites. In: Proceedings of the The 3rd Multidisciplinary International Social Networks Conference on SocialInformatics 2016, Data Science 2016, p. 45. ACM (2016)

Zalewski, M.: Dealing with ui redress vulnerabilities inherent to the current web (2009). http://lists.whatwg.org/pipermail/whatwgwhatwg.org/2008-September/016284.html. Accessed 6 Aug 2014

Zalewski, M.: Strokejacking (2010). http://seclists.org/fulldisclosure/2010/Mar/232. Accessed 11 Nov 2014

Bordi, E.: Proof of concept-cursorjacking (2010)

10.

Huang, L.-S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.: Clickjacking: Attacks and Defenses. In: USENIX Security Symposium, pp. 413–428 (2012)

11.

Vasile C., HTML5 Introduction-What is HTML5 Capable of, Features, and Resources.In: MJ Burns, Producer, & 1stWebDesigner Ltd) Retrieved May 28 (2012): 2013

12.

Lynch, P., Horton, S.: Yale C/Aim Web Style Guide. Yale Center for Advanced Instructional Media, Yale (1997)

13.

Ferraiolo, J., Jun, F., Jackson, D.: Scalable Vector Graphics (SVG) 10 Specification. iUniverse, Bloomington (2000)

14.

Eisenberg, J.D.: SVG Essentials: Producing Scalable Vector Graphics with XML. O’Reilly Media Inc., Newton (2002)

15.

Watt, A.: SVG Unleashed. Pearson Education, London (2002)

16.

Ayars, J., Bulterman, D., Cohen, A., Day, K., Hodge, E., Hoschka, P., Hyche, E., Jourdan, M., Kim, M., Kubota, K., et al.: Synchronized multimedia integration language (smil 2.0). World Wide Web Consort. Recomm. 7, 514 (2001)

17.

Mozilla Developer Network. Gecko (2011)

18.

XSS Filter Evasion Cheat Sheet: Retrieved June 20, 2013 from The Open Web Application Security Project. https://www.owasp.org/index.php (2013)

19.

Johari, R., Sharma, P.: A survey on web application vulnerabilities (sqlia, xss) exploitation and security engine for sql injection. In: 2012 International Conference on Communication Systems and Network Technologies (CSNT), pp. 453–458. IEEE (2012)

20.

Lerner, B.S., Carroll, M.J., Kimmel, D.P., La Vallee, H.Q.-D., Krishnamurthi, S.: Modeling and reasoning about dom events. In: Proceedings of the 3rd USENIX Conference on Web Application Development, pp. 1–1. USENIX Association (2012)

21.

Blatz, J.: Csrf: Attack and Defense. McAfee® Foundstone® Professional Services, White Paper (2007)

22.

Kim, S.H., Lee, S.H., Jin, S.H.: Active phishing attack and its countermeasures. Electron. Telecommun. Trends 28(3), 9–18 (2013)

23.

Kaplan, R.M., Martin, K., John, M. Finite state machine data storage where data transition is accomplished without the use of pointers. U.S. Patent 5,450,598 (1995)

24.

Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 135–144. ACM (2010)

25.

Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: WOOT, pp. 53–63 (2012)

26.

Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. IEEE Oakl. Web 2, 6 (2010)

27.

Nepomnyashy, M.: Protecting Applications Against Clickjacking with F5 LTM. SANS Institute InfoSec Reading Room (2013)

28.

Shahriar, H., Devendran, V.K., Haddad, H.: Proclick: a framework for testing clickjacking attacks in web applications. In: Proceedings of the 6th International Conference on Security of Information and Networks, pp. 144–151. ACM (2013)

29.

Aharonovsky, G.: Malicious camera spying using clickjacking (2008)

30.

Shamsi, J.A., Hameed, S., Rahman, W., Zuberi, F., Altaf, K., Amjad, A.: Clicksafe: providing security against clickjacking attacks. In: 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering (HASE), pp. 206–210. IEEE (2014)

31.

Clickjacking defense cheatsheet: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet. Accessed 15 Oct 2017

32.

Aboukhadijeh, F.: How to: spy on the webcams of your website visitors (2011)

33.

Maone, G. NoScript Firefox Extension. [software] (2006)

34.

Marini, J.: Document Object Model. McGraw-Hill Inc., New York (2002)

35.

Bibeault, B., Kats, Y.: jQuery in Action. Dreamtech Press, New Delhi (2008)

36.

Alexa internet, inc. alexa - top sites by category: (2014). http://www.alexa.com/topsites/category/Top/. Accessed 24 Dec 2014

37.

Malware domain list: (2014). http://www.malwaredomainlist.com/. Accessed 24 Dec 2014

38.

Phishtank domain list: (2014). http://www.phishtank.com/. Accessed 24 Dec 2014

39.

Mozilla foundation: (2013). https://bugzilla.mozilla.org/show_bug.cgi?id=154957. Accessed 24 Dec 2014

40.

Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83–91 (2009)CrossRef

41.

Zalewski, M.: Browser security handbook. Google Code (2010)

42.

Chebyshev, V., Unuchek, R.: Mobile malware evolution: 2013. Kaspersky Lab ZAOs SecureList 24, 15347 (2014)

43.

Unuchek, R.: Svpeng android malware targets google play with fake credit card window. http://securelist.com/blog/incidents/63746/latestversion-of-svpengtargets-users-in-us/. Accessed Nov 2017

44.

Fernandes, E., Chen, Q.A., Paupore, J., Essl, G., Halderman, J.A., Mao, Z.M., Prakash, A.: Android ui deception revisited: Attacks and defenses. In: International Conference on Financial Cryptography and Data Security, pp. 41–59. Springer (2016)

45.

Close, T.: Web-key: mashing with permission. In: Proceedings of Web, vol. 2. Citeseer (2008)

46.

Kristol, D.M.: Http cookies: standards, privacy, and politics. ACM Trans. Internet Technol. (TOIT) 1(2), 151–198 (2001)CrossRef

47.

Kotowicz, K.: Cursorjacking again (2012). http://blog.kotowicz.net/2012/01/cursorjacking-again.html. Accessed 6 Sept 2014

48.

Ross, D., Gondrom, T.: Http header field x-frame-options (2013)

49.

Tang, S., Dautenhahn, N., King, S.T.: Fortifying web-based applications automatically. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 615–626. ACM (2011)

50.

Chandra, R., Kim, T., Shah, M., Narula, N., Zeldovich, N.: Intrusion recovery for database-backed web applications. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 101–114. ACM (2011)

Titel: You click, I steal: analyzing and detecting click hijacking attacks in web pages
verfasst von: Anil Saini
Manoj Singh Gaur
Vijay Laxmi
Mauro Conti
Publikationsdatum: 13.12.2018
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 4/2019
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-018-0423-3

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2019

Breaking MPC implementations through compression

SpyDetector: An approach for detecting side-channel attacks at runtime

Double-spending prevention for Bitcoin zero-confirmation transactions

Analyzing XACML policies using answer set programming

Mobile botnets meet social networks: design and analysis of a new type of botnet

SSPFA: effective stack smashing protection for Android OS

Premium Partner