https://en.wikipedia.org/wiki/Clickjacking
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.[1][2][3][4] It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.[5] The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.[6] Clickjacking can be understood as an instance of the confused deputy problem, a term used to describe when a computer is innocently fooled into misusing its authority.[7]
Description
Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions.
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden/invisible page. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.
Examples
A user might receive an email with a link to a video about a news item, but another valid page, say a product page on Amazon.com, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon.
Other known exploits include:
Tricking users into enabling their webcam and microphone through Flash (though this has since been fixed since originally reported)[citation needed]
Tricking users into making their social networking profile information public[citation needed]
Making users follow someone on Twitter[8]
Sharing links on Facebook[9][10]
Getting likes on Facebook fan page[citation needed]
Making illegal revenue from Google Adsense program[citation needed]
While technical implementation of these attacks may be challenging due to cross-browser incompatibilities, a number of tools such as BeEF or Metasploit Project offer almost fully automated exploitation of clients on vulnerable websites. Clickjacking may be facilitated by - or may facilitate - other web attacks, such as XSS.[11][12]
==================
How to deal with Clickjacking?
The X-Frame-Options response header
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a ,
1/3/16
TraceEnable Directive
TraceEnable Directive
| Description: | Determines the behaviour on TRACE
requests |
|---|---|
| Syntax: | TraceEnable [on|off|extended] |
| Default: | TraceEnable on |
| Context: | server config, virtual host |
| Status: | Core |
| Module: | core |
| Compatibility: | Available in Apache 1.3.34, 2.0.55 and later |
TRACE for both
the core server and mod_proxy. The default
TraceEnable on permits TRACE requests per
RFC 2616, which disallows any request body to accompany the request.
TraceEnable off causes the core server and
mod_proxy to return a 405 (Method not
allowed) error to the client.Finally, for testing and diagnostic purposes only, request bodies may be allowed using the non-compliant
TraceEnable
extended directive. The core (as an origin server) will
restrict the request body to 64k (plus 8k for chunk headers if
Transfer-Encoding: chunked is used). The core will
reflect the full headers and all chunk headers with the response
body. As a proxy server, the request body is not restricted to 64k.
Disable TraceEnable by setting it to off when you do not needed.
Subscribe to:
Posts (Atom)
