Clickjuggler

Checking for incomplete defenses against clickjacking

Yusuke Takamatsu, Kenji Kono

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking for defenses against clickjacking during the development. Clickjuggler generates clickjacking attacks, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the clickjacking vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on clickjacking is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can check for the clickjacking vulnerabilities in 4 real-world web applications.

Original languageEnglish
Title of host publication2014 12th Annual Conference on Privacy, Security and Trust, PST 2014
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages224-231
Number of pages8
ISBN (Print)9781479935031
DOIs
Publication statusPublished - 2014
Event2014 12th Annual Conference on Privacy, Security and Trust, PST 2014 - Toronto, Canada
Duration: 2014 Jul 232014 Jul 24

Other

Other2014 12th Annual Conference on Privacy, Security and Trust, PST 2014
CountryCanada
CityToronto
Period14/7/2314/7/24

ASJC Scopus subject areas

  • Software
  • Computer Science Applications
  • Safety, Risk, Reliability and Quality

Cite this

Takamatsu, Y., & Kono, K. (2014). Clickjuggler: Checking for incomplete defenses against clickjacking. In 2014 12th Annual Conference on Privacy, Security and Trust, PST 2014 (pp. 224-231). [6890943] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/PST.2014.6890943

Clickjuggler : Checking for incomplete defenses against clickjacking. / Takamatsu, Yusuke; Kono, Kenji.

2014 12th Annual Conference on Privacy, Security and Trust, PST 2014. Institute of Electrical and Electronics Engineers Inc., 2014. p. 224-231 6890943.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Takamatsu, Y & Kono, K 2014, Clickjuggler: Checking for incomplete defenses against clickjacking. in 2014 12th Annual Conference on Privacy, Security and Trust, PST 2014., 6890943, Institute of Electrical and Electronics Engineers Inc., pp. 224-231, 2014 12th Annual Conference on Privacy, Security and Trust, PST 2014, Toronto, Canada, 14/7/23. https://doi.org/10.1109/PST.2014.6890943
Takamatsu Y, Kono K. Clickjuggler: Checking for incomplete defenses against clickjacking. In 2014 12th Annual Conference on Privacy, Security and Trust, PST 2014. Institute of Electrical and Electronics Engineers Inc. 2014. p. 224-231. 6890943 https://doi.org/10.1109/PST.2014.6890943
Takamatsu, Yusuke ; Kono, Kenji. / Clickjuggler : Checking for incomplete defenses against clickjacking. 2014 12th Annual Conference on Privacy, Security and Trust, PST 2014. Institute of Electrical and Electronics Engineers Inc., 2014. pp. 224-231
@inproceedings{ec26c0e993a642bf93785589e0c448ba,
title = "Clickjuggler: Checking for incomplete defenses against clickjacking",
abstract = "Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking for defenses against clickjacking during the development. Clickjuggler generates clickjacking attacks, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the clickjacking vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on clickjacking is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can check for the clickjacking vulnerabilities in 4 real-world web applications.",
author = "Yusuke Takamatsu and Kenji Kono",
year = "2014",
doi = "10.1109/PST.2014.6890943",
language = "English",
isbn = "9781479935031",
pages = "224--231",
booktitle = "2014 12th Annual Conference on Privacy, Security and Trust, PST 2014",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Clickjuggler

T2 - Checking for incomplete defenses against clickjacking

AU - Takamatsu, Yusuke

AU - Kono, Kenji

PY - 2014

Y1 - 2014

N2 - Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking for defenses against clickjacking during the development. Clickjuggler generates clickjacking attacks, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the clickjacking vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on clickjacking is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can check for the clickjacking vulnerabilities in 4 real-world web applications.

AB - Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking for defenses against clickjacking during the development. Clickjuggler generates clickjacking attacks, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the clickjacking vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on clickjacking is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can check for the clickjacking vulnerabilities in 4 real-world web applications.

UR - http://www.scopus.com/inward/record.url?scp=84910052941&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84910052941&partnerID=8YFLogxK

U2 - 10.1109/PST.2014.6890943

DO - 10.1109/PST.2014.6890943

M3 - Conference contribution

SN - 9781479935031

SP - 224

EP - 231

BT - 2014 12th Annual Conference on Privacy, Security and Trust, PST 2014

PB - Institute of Electrical and Electronics Engineers Inc.

ER -