Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.
Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice.
This new browser-based tool allows a user to experiment with clickjacking techniques by using point-and-click to visually select different elements within a webpage to be targeted. The tool also allows several 'next-generation' clickjacking techniques to be used, as introduced in Paul Stone's Blackhat Europe 2010 talk.
Among the features of the new tool are:
Use point-and-click to select the areas of a page to be targeted
Supports the new 'text-field injection' technique
Supports the new 'content extraction' technique
'Visible mode' replay allowing a user to see how the technique works behind the science
'Hidden mode' replay allows the same steps to be replayed in a hidden manner, simulating a real clickjacking attack.
The tool is currently in an early beta stage, and works best in Firefox 3.6. Full support for other browsers will follow shortly. For further information, please see the Readme.txt file in the downloadable tool.
http://www.contextis.co.uk/resources/tools/clickjacking-tool/cjtool.zip
SOURCE: Pinoy Security
No comments:
Post a Comment