sponsors
usenix conference policies
You are here
On the Fragility and Limitations of Current Browser-Provided Clickjacking Protection Schemes
Sebastian Lekies, SAP Research; Mario Heiderich, Ruhr University; Dennis Appelt, SAP Research; Thorsten Holz, Ruhr University; Martin Johns, SAP Research
An important and timely attack technique on the Web is Clickjacking (also called UI redressing), in which an attacker tricks the unsuspicious victim into clicking on a specific element without his explicit knowledge about where he is actually clicking. In order to protect their websites from being exploitable, many web masters deployed different countermeasures to this kind of attack.
In this paper, we explore the limitations and shortcomings of current anti-clickjacking approaches and present several bypasses of state-of-the-art tools, including an attack we call Nested Clickjacking that enables us to perform Clickjacking against the social network Google+. Furthermore, we present the results of a large scale empirical study on the usage of current anti-clickjacking mechanisms on about 2 million web pages. The results of our analysis show that about 15% of the analyzed web sites protect themselves against Clickjacking.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
title = {On the Fragility and Limitations of Current {Browser-Provided} Clickjacking Protection Schemes},
booktitle = {6th USENIX Workshop on Offensive Technologies (WOOT 12)},
year = {2012},
address = {Bellevue, WA},
url = {https://www.usenix.org/conference/woot12/workshop-program/presentation/Lekies},
publisher = {USENIX Association},
month = aug
}
connect with us