Clickjacking: An Empirical Study With An Automated Testing/Detection System presented at OWASP BeNelux 2010

by Marco Balduzzi (Eurecom),

Tags: Malware

URL : http://www.owasp.org/index.php/BeNeLux_OWASP_Day_2010#tab=Conference.2C_December_2nd

Summary : Clickjacking recently received new media attentions: Thousands of Facebook users have fallen victims of a worm that uses clickjacking techniques to propagate.
In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session.
However it is currently unclear to what extent clickjacking is being used by attackers in the wild and how significant the attack is for the security of Internet users.
In this talk, we presents a solution we designed for studying the prevalence of clickjacking on the Internet and for detecting possible malicious pages in an automated fashion. We deployed our system over 10 distinct virtual machines to test more then a million unique web-pages in two months. From the analysis of our experimental results we discuss the clickjacking phenomenon and its future implications.