Detection of visual clickjacking vulnerabilities in incomplete defenses

Yusuke Takamatsu, Kenji Kono

Research output: Contribution to journalArticle

Abstract

Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking attacks compromise visual integrity (called visual clickjacking) or condition integrity (called switchover clickjacking) to deceive victims. We address visual clickjacking in this paper. Visual clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking defenses against visual clickjacking during the development. Clickjuggler generates some types of visual clickjacking attack, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on a variety of visual clickjacking and evasion techniques is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can detect the visual clickjacking vulnerabilities in 4 real-world web applications and can detect the vulnerabilities in a shorter time than existing tools.

Original languageEnglish
Pages (from-to)513-524
Number of pages12
JournalJournal of Information Processing
Volume23
Issue number4
DOIs
Publication statusPublished - 2015 Jul 15

Keywords

  • Clickjacking
  • Cursorjacking
  • Web application
  • Web security

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

Detection of visual clickjacking vulnerabilities in incomplete defenses. / Takamatsu, Yusuke; Kono, Kenji.

In: Journal of Information Processing, Vol. 23, No. 4, 15.07.2015, p. 513-524.

Research output: Contribution to journalArticle

@article{62dbabe42d6b4d169cce477d07772045,
title = "Detection of visual clickjacking vulnerabilities in incomplete defenses",
abstract = "Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking attacks compromise visual integrity (called visual clickjacking) or condition integrity (called switchover clickjacking) to deceive victims. We address visual clickjacking in this paper. Visual clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking defenses against visual clickjacking during the development. Clickjuggler generates some types of visual clickjacking attack, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on a variety of visual clickjacking and evasion techniques is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can detect the visual clickjacking vulnerabilities in 4 real-world web applications and can detect the vulnerabilities in a shorter time than existing tools.",
keywords = "Clickjacking, Cursorjacking, Web application, Web security",
author = "Yusuke Takamatsu and Kenji Kono",
year = "2015",
month = "7",
day = "15",
doi = "10.2197/ipsjjip.23.513",
language = "English",
volume = "23",
pages = "513--524",
journal = "Journal of Information Processing",
issn = "0387-5806",
publisher = "Information Processing Society of Japan",
number = "4",

}

TY - JOUR

T1 - Detection of visual clickjacking vulnerabilities in incomplete defenses

AU - Takamatsu, Yusuke

AU - Kono, Kenji

PY - 2015/7/15

Y1 - 2015/7/15

N2 - Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking attacks compromise visual integrity (called visual clickjacking) or condition integrity (called switchover clickjacking) to deceive victims. We address visual clickjacking in this paper. Visual clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking defenses against visual clickjacking during the development. Clickjuggler generates some types of visual clickjacking attack, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on a variety of visual clickjacking and evasion techniques is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can detect the visual clickjacking vulnerabilities in 4 real-world web applications and can detect the vulnerabilities in a shorter time than existing tools.

AB - Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking attacks compromise visual integrity (called visual clickjacking) or condition integrity (called switchover clickjacking) to deceive victims. We address visual clickjacking in this paper. Visual clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking defenses against visual clickjacking during the development. Clickjuggler generates some types of visual clickjacking attack, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on a variety of visual clickjacking and evasion techniques is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can detect the visual clickjacking vulnerabilities in 4 real-world web applications and can detect the vulnerabilities in a shorter time than existing tools.

KW - Clickjacking

KW - Cursorjacking

KW - Web application

KW - Web security

UR - http://www.scopus.com/inward/record.url?scp=84937428869&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84937428869&partnerID=8YFLogxK

U2 - 10.2197/ipsjjip.23.513

DO - 10.2197/ipsjjip.23.513

M3 - Article

AN - SCOPUS:84937428869

VL - 23

SP - 513

EP - 524

JO - Journal of Information Processing

JF - Journal of Information Processing

SN - 0387-5806

IS - 4

ER -