Deisnet Reti di Telecomunicazioni

ClickJacking Attack Example

Welcome to Deisnet ClickJacking example page. The Following fake links will bring you around some clink issues. The fake links are span elements set up through a negative z-index.The user beliefs to click on a link but she doesn't click on it, no javascript is needed, just CSS.Click on "E" of each "Example" Word. Enjoy your click. Example 1 Example 2 Example 3 The browser opens a javacript stored in another page (in the backgrounded one) The browser performs a google search whithout user consensus (after that you need to relod the page to use Example 3) The browser accept a cookie from another page that the user doesnt see

This page seems to be a normal HTML page, no Javascript and Flash scripts are embedded, even a smart user may think that everything is legal but an attacker can still steal clicks doing whatever he wants. In other words the attacker tricks the user to clink in something she cannot see by clicking in something she can see. This fraud is possible through three easy steps which every web developer should know. The first one is to load the malicious page on background through an ”iframe” where he sets properly the CSS opacity value at 0. This makes the iframe content invisible. The next step is to create an artificial web page which fits perfectly with the underground one. If the created page doesn’t fit properly on the backgrounded one, the mouse cursor might change going out to the iframe, alerting the user that something wrong is happening. As last step the attacker makes an HTML element that wants to get clicks, putting it on the hidden link and setting the CSS z-index property to be behind the invisible iframe.