Skip to main content
SpringerLink
Log in

You click, I steal: analyzing and detecting click hijacking attacks in web pages

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Click Hijacking (clickjacking) is emerging as a web-based threat on the Internet. The prime objective of clickjacking is stealing user clicks. An attacker can carry out a clickjacking attack by tricking the victim into clicking an element that is barely visible or completely hidden. By stealing the victim’s clicks, an attacker could entice the victim to perform an unintended action from which the attacker can benefit. These actions include online money transactions, sharing malicious website links, initiate social networking links, etc. This paper presents an anatomy of advanced clickjacking attacks not yet reported in the literature. In particular, we propose new class of clickjacking attacks that employ SVG filters and create various effects with SVG filters. We demonstrate that current defense techniques are ineffective to deal with these sophisticated clickjacking attacks. Furthermore, we develop a novel detection method for such attacks based on the behavior (response) of a website active content against the user clicks (request). In our experiments, we found that our method can detect advanced Scalable Vector Graphics (SVG)-based attacks where most of the contemporary tools fail. We explore and utilize various common and distinguishing characteristics of malicious and legitimate web pages to build a behavioral model based on Finite State Automaton. We evaluate our proposal with a sample set of 78,000 web pages from various sources, and 1000 web pages known to involve clickjacking. Our results demonstrate that the proposed solution enjoys good accuracy and a negligible percentage of false positives (i.e., 0.28%), and zero false negatives in distinguishing clickjacking and legitimate websites.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. The iframe element represents a nested browsing context, effectively embedding another HTML page into the current page.

References

  1. Grossman, J.: Clickjacking-owasp appsec talk (2008). http://blog.jeremiahgrossman.com/2008/09/cancelled-clickjackingowasp-appsec.html. Accessed 12 Mar 2016

  2. Hansen, R., Grossman, J.: Clickjacking (2008)

  3. Niemietz, M.: Ui redressing: attacks and countermeasures revisited. In: CONFidence, 2011 (2011)

  4. Stone, P.: Next generation clickjacking. media. blackhat. com/bh-eu-10/presentations. In: Stone/BlackHat-EU-2010-Stone-Next-Generation-Clickjacking-slides.pdf 3 (2010)

  5. Vadrevu, P., Liu, J., Li, B., Rahbarinia, B., Lee, K.H., Perdisci, R.: Enabling reconstruction of attacks on users via efficient browsing snapshots (2017)

  6. Selim, H., Tayeb, S., Kim, Y., Zhan, J., Pirouz, M.: Vulnerability analysis of iframe attacks on websites. In: Proceedings of the The 3rd Multidisciplinary International Social Networks Conference on SocialInformatics 2016, Data Science 2016, p. 45. ACM (2016)

  7. Zalewski, M.: Dealing with ui redress vulnerabilities inherent to the current web (2009). http://lists.whatwg.org/pipermail/whatwgwhatwg.org/2008-September/016284.html. Accessed 6 Aug 2014

  8. Zalewski, M.: Strokejacking (2010). http://seclists.org/fulldisclosure/2010/Mar/232. Accessed 11 Nov 2014

  9. Bordi, E.: Proof of concept-cursorjacking (2010)

  10. Huang, L.-S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.: Clickjacking: Attacks and Defenses. In: USENIX Security Symposium, pp. 413–428 (2012)

  11. Vasile C., HTML5 Introduction-What is HTML5 Capable of, Features, and Resources.In: MJ Burns, Producer, & 1stWebDesigner Ltd) Retrieved May 28 (2012): 2013

  12. Lynch, P., Horton, S.: Yale C/Aim Web Style Guide. Yale Center for Advanced Instructional Media, Yale (1997)

    Google Scholar 

  13. Ferraiolo, J., Jun, F., Jackson, D.: Scalable Vector Graphics (SVG) 10 Specification. iUniverse, Bloomington (2000)

    Google Scholar 

  14. Eisenberg, J.D.: SVG Essentials: Producing Scalable Vector Graphics with XML. O’Reilly Media Inc., Newton (2002)

    Google Scholar 

  15. Watt, A.: SVG Unleashed. Pearson Education, London (2002)

    Google Scholar 

  16. Ayars, J., Bulterman, D., Cohen, A., Day, K., Hodge, E., Hoschka, P., Hyche, E., Jourdan, M., Kim, M., Kubota, K., et al.: Synchronized multimedia integration language (smil 2.0). World Wide Web Consort. Recomm. 7, 514 (2001)

  17. Mozilla Developer Network. Gecko (2011)

  18. XSS Filter Evasion Cheat Sheet: Retrieved June 20, 2013 from The Open Web Application Security Project. https://www.owasp.org/index.php (2013)

  19. Johari, R., Sharma, P.: A survey on web application vulnerabilities (sqlia, xss) exploitation and security engine for sql injection. In: 2012 International Conference on Communication Systems and Network Technologies (CSNT), pp. 453–458. IEEE (2012)

  20. Lerner, B.S., Carroll, M.J., Kimmel, D.P., La Vallee, H.Q.-D., Krishnamurthi, S.: Modeling and reasoning about dom events. In: Proceedings of the 3rd USENIX Conference on Web Application Development, pp. 1–1. USENIX Association (2012)

  21. Blatz, J.: Csrf: Attack and Defense. McAfee® Foundstone® Professional Services, White Paper (2007)

  22. Kim, S.H., Lee, S.H., Jin, S.H.: Active phishing attack and its countermeasures. Electron. Telecommun. Trends 28(3), 9–18 (2013)

    Google Scholar 

  23. Kaplan, R.M., Martin, K., John, M. Finite state machine data storage where data transition is accomplished without the use of pointers. U.S. Patent 5,450,598 (1995)

  24. Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 135–144. ACM (2010)

  25. Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: WOOT, pp. 53–63 (2012)

  26. Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. IEEE Oakl. Web 2, 6 (2010)

    Google Scholar 

  27. Nepomnyashy, M.: Protecting Applications Against Clickjacking with F5 LTM. SANS Institute InfoSec Reading Room (2013)

  28. Shahriar, H., Devendran, V.K., Haddad, H.: Proclick: a framework for testing clickjacking attacks in web applications. In: Proceedings of the 6th International Conference on Security of Information and Networks, pp. 144–151. ACM (2013)

  29. Aharonovsky, G.: Malicious camera spying using clickjacking (2008)

  30. Shamsi, J.A., Hameed, S., Rahman, W., Zuberi, F., Altaf, K., Amjad, A.: Clicksafe: providing security against clickjacking attacks. In: 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering (HASE), pp. 206–210. IEEE (2014)

  31. Clickjacking defense cheatsheet: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet. Accessed 15 Oct 2017

  32. Aboukhadijeh, F.: How to: spy on the webcams of your website visitors (2011)

  33. Maone, G. NoScript Firefox Extension. [software] (2006)

  34. Marini, J.: Document Object Model. McGraw-Hill Inc., New York (2002)

    Google Scholar 

  35. Bibeault, B., Kats, Y.: jQuery in Action. Dreamtech Press, New Delhi (2008)

    Google Scholar 

  36. Alexa internet, inc. alexa - top sites by category: (2014). http://www.alexa.com/topsites/category/Top/. Accessed 24 Dec 2014

  37. Malware domain list: (2014). http://www.malwaredomainlist.com/. Accessed 24 Dec 2014

  38. Phishtank domain list: (2014). http://www.phishtank.com/. Accessed 24 Dec 2014

  39. Mozilla foundation: (2013). https://bugzilla.mozilla.org/show_bug.cgi?id=154957. Accessed 24 Dec 2014

  40. Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. Commun. ACM 52(6), 83–91 (2009)

    Article  Google Scholar 

  41. Zalewski, M.: Browser security handbook. Google Code (2010)

  42. Chebyshev, V., Unuchek, R.: Mobile malware evolution: 2013. Kaspersky Lab ZAOs SecureList 24, 15347 (2014)

    Google Scholar 

  43. Unuchek, R.: Svpeng android malware targets google play with fake credit card window. http://securelist.com/blog/incidents/63746/latestversion-of-svpengtargets-users-in-us/. Accessed Nov 2017

  44. Fernandes, E., Chen, Q.A., Paupore, J., Essl, G., Halderman, J.A., Mao, Z.M., Prakash, A.: Android ui deception revisited: Attacks and defenses. In: International Conference on Financial Cryptography and Data Security, pp. 41–59. Springer (2016)

  45. Close, T.: Web-key: mashing with permission. In: Proceedings of Web, vol. 2. Citeseer (2008)

  46. Kristol, D.M.: Http cookies: standards, privacy, and politics. ACM Trans. Internet Technol. (TOIT) 1(2), 151–198 (2001)

    Article  Google Scholar 

  47. Kotowicz, K.: Cursorjacking again (2012). http://blog.kotowicz.net/2012/01/cursorjacking-again.html. Accessed 6 Sept 2014

  48. Ross, D., Gondrom, T.: Http header field x-frame-options (2013)

  49. Tang, S., Dautenhahn, N., King, S.T.: Fortifying web-based applications automatically. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 615–626. ACM (2011)

  50. Chandra, R., Kim, T., Shah, M., Narula, N., Zeldovich, N.: Intrusion recovery for database-backed web applications. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 101–114. ACM (2011)

Download references

Acknowledgements

Mauro Conti is supported by a Marie Curie Fellowship funded by the European Commission under the agreement n. PCIG11-GA-2012-321980. This work has been partially supported by the TENACE PRIN Project funded by the Italian MIUR (20103P34XC), and by the Project “Tackling Mobile Malware with Innovative Machine Learning Techniques” funded by the University of Padua.

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Malaviya National Institute of Technology, Jaipur, 302017, India

    Anil Saini, Manoj Singh Gaur & Vijay Laxmi

  2. Department of Mathematics, University of Padua, 35131, Padua, Italy

    Mauro Conti

Authors
  1. Anil Saini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Manoj Singh Gaur
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vijay Laxmi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mauro Conti
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Manoj Singh Gaur.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Saini, A., Gaur, M.S., Laxmi, V. et al. You click, I steal: analyzing and detecting click hijacking attacks in web pages. Int. J. Inf. Secur. 18, 481–504 (2019). https://doi.org/10.1007/s10207-018-0423-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-018-0423-3

Keywords

Search

Navigation