Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference
Protecting browser state from web privacy attacks
Proceedings of the 15th international conference on World Wide Web
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
Protecting browsers from dns rebinding attacks
Proceedings of the 14th ACM conference on Computer and communications security
The ghost in the browser analysis of web-based malware
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Secure Web Browsing with the OP Web Browser
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Robust defenses for cross-site request forgery
Proceedings of the 15th ACM conference on Computer and communications security
Automatic generation of XSS and SQL injection attacks with goal-directed model checking
SS'08 Proceedings of the 17th conference on Security symposium
IEEE Security and Privacy
A solution for the automated detection of clickjacking attacks
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
The multi-principal OS construction of the gazelle web browser
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
BLADE: an attack-agnostic approach for preventing drive-by malware infections
Proceedings of the 17th ACM conference on Computer and communications security
ProClick: a framework for testing clickjacking attacks in web applications
Proceedings of the 6th International Conference on Security of Information and Networks
| Hi-index | 0.00 |
An important and timely attack technique on the Web is Clickjacking (also called UI redressing), in which an attacker tricks the unsuspicious victim into clicking on a specific element without his explicit knowledge about where he is actually clicking. In order to protect their websites from being exploitable, many web masters deployed different countermeasures to this kind of attack. In this paper, we explore the limitations and shortcomings of current anti-clickjacking approaches and present several bypasses of state-of-the-art tools, including an attack we call Nested Clickjacking that enables us to perform Clickjacking against the social network Google+. Furthermore, we present the results of a large scale empirical study on the usage of current anti-clickjacking mechanisms on about 2 million web pages. The results of our analysis show that about 15% of the analyzed web sites protect themselves against Clickjacking.