From: Bwig Zomberi on
Hi,

Can someone explain how click jacking is done? And, provide some code.
Also, some info on countermeasures would be great.

When I do a search for this in Google, they search results get
redirected. Is Google that good?



--
Bwig Zomberi
From: Bwig Zomberi on
Bwig Zomberi wrote:
> Hi,
>
> Can someone explain how click jacking is done? And, provide some code.
> Also, some info on countermeasures would be great.
>

This page says something about it.
http://www.grc.com/sn/notes-168.htm



--
Bwig Zomberi
From: VK on
On Jun 6, 10:17 pm, Bwig Zomberi <zomberiMAPSONNOS...(a)gmail.com>
wrote:
> Bwig Zomberi wrote:
> > Hi,
>
> > Can someone explain how click jacking is done? And, provide some code.
> > Also, some info on countermeasures would be great.
>
> This page says something about it.http://www.grc.com/sn/notes-168.htm

Basically ClickJacking is the technique of inclining the visitor to
click a page interface element in expectation of one result and
providing some other result instead, or the declared result plus some
additional undeclared result.

The most "popular" now ClickJacking is making a nag window using CSS
that floats over a potentially interesting content. The window has [x]
Close button on it. So say user clicks on it. As it is a real
mechanical click initiated by user, popup blocker lets it go. So it is
used to open a real popup/popunder window with sponsor ads and the
like, and after that the nag screen goes away.
From: Bwig Zomberi on
VK wrote:
> On Jun 6, 10:17 pm, Bwig Zomberi<zomberiMAPSONNOS...(a)gmail.com>
> wrote:
>> Bwig Zomberi wrote:
>>> Hi,
>>
>>> Can someone explain how click jacking is done? And, provide some code.
>>> Also, some info on countermeasures would be great.
>>
>> This page says something about it.http://www.grc.com/sn/notes-168.htm
>
> Basically ClickJacking is the technique of inclining the visitor to
> click a page interface element in expectation of one result and
> providing some other result instead, or the declared result plus some
> additional undeclared result.
>
> The most "popular" now ClickJacking is making a nag window using CSS
> that floats over a potentially interesting content. The window has [x]
> Close button on it. So say user clicks on it. As it is a real
> mechanical click initiated by user, popup blocker lets it go. So it is
> used to open a real popup/popunder window with sponsor ads and the
> like, and after that the nag screen goes away.

I am specifically worried on clickjacking in user-generated content.

http://go.theregister.com/feed/www.theregister.co.uk/2010/06/01/facebook_clickjacking_worm/

It affects sites such as Facebook and Twitter.

I plan to create some comment forms on my site. Would it be enough if I
remove iframes tags or would I have to strip all tags?


--
Bwig Zomberi
From: Gordon on
On Jun 10, 8:56 am, Bwig Zomberi <zomberiMAPSONNOS...(a)gmail.com>
wrote:
> VK wrote:
> > On Jun 6, 10:17 pm, Bwig Zomberi<zomberiMAPSONNOS...(a)gmail.com>
> > wrote:
> >> Bwig Zomberi wrote:
> >>> Hi,
>
> >>> Can someone explain how click jacking is done? And, provide some code..
> >>> Also, some info on countermeasures would be great.
>
> >> This page says something about it.http://www.grc.com/sn/notes-168.htm
>
> > Basically ClickJacking is the technique of inclining the visitor to
> > click a page interface element in expectation of one result and
> > providing some other result instead, or the declared result plus some
> > additional undeclared result.
>
> > The most "popular" now ClickJacking is making a nag window using CSS
> > that floats over a potentially interesting content. The window has [x]
> > Close button on it. So say user clicks on it. As it is a real
> > mechanical click initiated by user, popup blocker lets it go. So it is
> > used to open a real popup/popunder window with sponsor ads and the
> > like, and after that the nag screen goes away.
>
> I am specifically worried on clickjacking in user-generated content.
>
> http://go.theregister.com/feed/www.theregister.co.uk/2010/06/01/faceb...
>
> It affects sites such as Facebook and Twitter.
>
> I plan to create some comment forms on my site. Would it be enough if I
> remove iframes tags or would I have to strip all tags?
>
> --
>   Bwig Zomberi

Stripping all <script> tags and tags that allow inline content such as
iframes should cover most cases. You'd be far better doing it server
side though, as client side validation with javascript is easily
turned off.