.NET Daily

Prevent Attack: Click Jack

Introduction

Darius

Darius

Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.


LATEST POSTS

My View on the Life cycle of a Fixed Cost Web Project 01st July, 2018

How to Deliver Accurate Project Status Reports 21st April, 2018

Microsoft ASP.NET

Prevent Attack: Click Jack

Posted on .

Click Jacking is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a vulnerability across a variety of browsers and platforms. A click jack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

Example

A user might receive an email with a link to a video about a news item, but another valid page, say a product page on amazon.com, can be “hidden” on top or underneath the “PLAY” button of the news video. The user tries to “play” the video but actually “buys” the product from Amazon.
Other known exploits include:

  • Tricking users into enabling their webcam and microphone through Flash (which has since been corrected by Adobe);
  • Tricking users into making their social networking profile information public;
  • Making users follow someone on Twitter;
  • Sharing links on Facebook;

Remedy

During the click jack attack the most probably used technique is with the help of IFRAME. The IFrame borders are hidden from CSS and most of the times you will not notice that you are on a different page.

A solution will be to restrict you website to be used inside IFRAME. You can add the code below to your Global.asax file:

void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
}

You can download a harmless sample of a click jack attack from below

source: Code Project

Attachments

Darius

Darius

Darius Dumitrescu is a creative Senior CMS Consultant with in depth .NET knowledge, focused on Web Development and Architecture Design.

There are no comments.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

View Comments (0) ...
Navigation