Abstract
Clickjacking is an attack that tricks victims into clicking on invisible elements of a web page to perform an unintended action that is advantageous for an attacker. To defend against clickjacking, many techniques have already been proposed, but it is still unclear whether they are effectively deployed in practice. We study how vulnerable Korean websites are to clickjacking attacks by performing real attacks on top 100 popular Korean websites as well as all the financial websites. Our results are quite significant: almost all Korean websites (about 99.2 %) that we looked at are vulnerable to clickjacking attacks. Extending our observation to mobile websites, we can also obtain similar results.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
iframe is the HTML tag to specify an inline frame which is used to embed another document within the current HTML document.
- 2.
References
Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (2010)
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM conference on Computer and communications security (2008)
Bordi, E.: Proof of concept - cursorjacking (noscript). http://static.vulnerability.fr/noscript-cursorjacking.html
Hansen, R.: Clickjacking. http://ha.ckers.org/blog/20080915/clickjacking/
Hill, B.: Adaptive user interface randomization as an anti-clickjacking strategy (2012). http://www.thesecuritypractice.com/the_security_practice/papers/AdaptiveUserInterfaceRandomization.pdf
Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: attacks and defenses. In: Proceedings of the 21st USENIX Conference on Security Symposium (2012)
Kotowicz, K.: Cursorjacking again. http://blog.kotowicz.net/2012/01/cursorjacking-again.html
Kumar, M.: Hacking google users with google’s goopass phishing attack (2013). http://thehackernews.com/2013/03/hacking-google-users-with-googles.html
Mahemoff, M.: Explaining the “don’t click” clickjacking tweetbom (2009). http://softwareas.com/explaining-the-dont-click-clickjacking-tweetbomb
Ristic, I.: Apache Security. O’Reilly Media, Sebastopol (2005)
Ruderman, J.: Bug 154957 - iframe content background defaults to transparent (2002). https://bugzilla.mozilla.org/show_bug.cgi?id=154957
Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In: IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010) (2010)
SophosLabs: Facebook worm - “likejacking” (2010). http://nakedsecurity.sophos.com/2010/05/31/facebook-likejacking-worm/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Kim, D., Kim, H. (2014). We Are Still Vulnerable to Clickjacking Attacks: About 99 % of Korean Websites Are Dangerous. In: Kim, Y., Lee, H., Perrig, A. (eds) Information Security Applications. WISA 2013. Lecture Notes in Computer Science(), vol 8267. Springer, Cham. https://doi.org/10.1007/978-3-319-05149-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-05149-9_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-05148-2
Online ISBN: 978-3-319-05149-9
eBook Packages: Computer ScienceComputer Science (R0)