1/3/16

Clickjacking

https://en.wikipedia.org/wiki/Clickjacking


Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.[1][2][3][4] It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.[5] The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.[6] Clickjacking can be understood as an instance of the confused deputy problem, a term used to describe when a computer is innocently fooled into misusing its authority.[7]


Description

Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions.

A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden/invisible page. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.
Examples

A user might receive an email with a link to a video about a news item, but another valid page, say a product page on Amazon.com, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon.

Other known exploits include:

    Tricking users into enabling their webcam and microphone through Flash (though this has since been fixed since originally reported)[citation needed]
    Tricking users into making their social networking profile information public[citation needed]
    Making users follow someone on Twitter[8]
    Sharing links on Facebook[9][10]
    Getting likes on Facebook fan page[citation needed]
    Making illegal revenue from Google Adsense program[citation needed]

While technical implementation of these attacks may be challenging due to cross-browser incompatibilities, a number of tools such as BeEF or Metasploit Project offer almost fully automated exploitation of clients on vulnerable websites. Clickjacking may be facilitated by - or may facilitate - other web attacks, such as XSS.[11][12]



==================

How to deal with Clickjacking?


The X-Frame-Options response header

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a ,

TraceEnable Directive

TraceEnable Directive

Description:Determines the behaviour on TRACE requests
Syntax:TraceEnable [on|off|extended]
Default:TraceEnable on
Context:server config, virtual host
Status:Core
Module:core
Compatibility:Available in Apache 1.3.34, 2.0.55 and later
This directive overrides the behavior of TRACE for both the core server and mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, which disallows any request body to accompany the request. TraceEnable off causes the core server and mod_proxy to return a 405 (Method not allowed) error to the client.
Finally, for testing and diagnostic purposes only, request bodies may be allowed using the non-compliant TraceEnable extended directive. The core (as an origin server) will restrict the request body to 64k (plus 8k for chunk headers if Transfer-Encoding: chunked is used). The core will reflect the full headers and all chunk headers with the response body. As a proxy server, the request body is not restricted to 64k.
 
 
Disable TraceEnable by setting it to off when you do not needed.