Fork me on GitHub

Project Notes

Browser Security

Notes and summaries of key browser security and vulnerabilities.

Notes

Clickjacking

Clickjacking attacks lure a web user into interacting with a malicious code while thinking they are using something different. The exploit can work in two directions:

  • present a fake button/UI, but when the user clicks on it, they are in fact interacting with an underlying victom site
  • present a real web page, overlayed with something fake that appears part of the real site (like a fake login popup)

The vitim site is usually included in a web page with an IFRAME or OBJECT tag.

Browsers (currently) do not prevent embedding by default. Victim sites must take active measures to prevent their site being used in this way. Two primary mechanims:

  • set X-Frame-Options that instruct the browser to refuse to embed the site
  • use Javascript to force a redirect to the “real” page if the page has been stuck in an iframe.

Sites that have historically been valuable targets of this type of attack have all the defences in pace (like facebook, twitter, google etc).

Credits and References

About LCK#97 web
Project Source on GitHub Return to the Project Catalog

This page is a web-friendly rendering of my project notes shared in the LittleCodingKata GitHub repository.

LittleCodingKata is my collection of programming exercises, research and code toys broadly spanning things that relate to programming and software development (languages, frameworks and tools).

These range from the trivial to the complex and serious. Many are inspired by existing work and I'll note credits and references where applicable. The focus is quite scattered, as I variously work on things new and important in the moment, or go back to revisit things from the past.

This is primarily a personal collection for my own edification and learning, but anyone who stumbles by is welcome to borrow, steal or reference the work here. And if you spot errors or issues I'd really appreciate some feedback - create an issue, send me an email or even send a pull-request.