A solution for the automated detection of clickjacking attacks

Proceedings of the 5th International Symposium on Information, Computer and Communications Security, ASIACCS 2010

Volumn , Issue , 2010, Pages 135-144

  Balduzzi, Marco ^a   Egele, Manuel ^b   Kirda, Engin ^a   Balzarotti, Davide ^a   Kruegel, Christopher ^c  

^a EURECOM   (France)

^b VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

^c UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

browser plug in; ClickIDS; clickjacking; CSS; HTML IFRAME; javascript; web security

Indexed keywords

AUTOMATED DETECTION; BROWSER PLUG-IN; EFFICIENT DETECTION; EMPIRICAL STUDIES; INTERNET USERS; JAVASCRIPT; MEDIA COVERAGE; MONEY TRANSACTIONS; NOVEL SOLUTIONS; PLUG-INS; WEB PAGE; WEB SECURITY; WEB-BASED ATTACKS;

HIGH LEVEL LANGUAGES; HTML; INTERNET; WEBSITES;

MARKUP LANGUAGES;

EID: 77954485076     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1755688.1755706     Document Type: Conference Paper

References (41)

1. Acutenix web security scanner. http://www.acunetix.com/.
2. Alexa top sites. http://www.alexa.com/topsites.
3. Malware domain blocklist. http://www.malwaredomains.com/.
4. Myspace. http://www.myspace.com.
5. Nikto. http://www.cirt.net/nikto2.
6. Phishtank: Join the fight against phishing. http://www.phishtank.com/.
7. Selenium web application testing system. http://seleniumhq.org/.
8. Watir automated webbrowsers. http://wtr.rubyforge.org/.
9. xdotool. http://www.semicomplete.com/projects/xdotool/.
10. http://www.blogger.com, 2009.
11. Alexa Internet, Inc. Alexa - top sites by category. http://www.alexa.com/ topsites/category/Top/, 2009.
12. D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In IEEE Symposium on Security and Privacy, pages 387-401, 2008.
13. M. Egele, M. Szydlowski, E. Kirda, and C. Kruegel. Using static program analysis to aid intrusion detection. In Detection of Intrusions and Malware & Vulnerability Assessment, Third International Conference, DIMVA 2006, Berlin, Germany, July 13-14, 2006, Proceedings, pages 17-36, 2006.
14. T. Garfinkel and M. Rosenblum. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2003, San Diego, California, USA, 2003.
15. R. Hansen. Clickjacking details. http://ha.ckers. org/blog/20081007/ clickjacking-details/, 2008.
16. R. Hansen and J. Grossman. Clickjacking. http://www.sectheory.com/ clickjacking.htm, 09 2008.
17. Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai. Web application security assessment by fault injection and behavior monitoring. In WWW '03: Proceedings of the 12th international conference on World Wide Web, pages 148-159, New York, NY, USA, 2003. ACM.
18. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In WWW '04: Proceedings of the 13th international conference on World Wide Web, pages 40-52, New York, NY, USA, 2004. ACM.
19. International Secure Systems Lab. http://anubis.iseclab.org, 2009.
20. Jeremiah Grossman. (Cancelled) Clickjacking - OWASP AppSec Talk. http://jeremiahgrossman.blogspot.com/2009/06/clickjacking-2017.html, September 2008.
21. Jeremiah Grossman. Clickjacking 2017. http://jeremiahgrossman.blogspot. com/2009/06/clickjacking-2017.html, June 2009.
22. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security and Privacy, pages 258-263, 2006.
23. S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic. Secubat: a web vulnerability scanner. In WWW '06: Proceedings of the 15th international conference on World Wide Web, pages 247-256, New York, NY, USA, 2006. ACM.
24. M. Mahemoff. Explaining the "Don't Click" Clickjacking Tweetbomb. http://softwareas.com/explaining-the-dont-click-clickjacking- tweetbomb, 2 2009.
25. G. Maone. Hello ClearClick, Goodbye Clickjacking! http://hackademix.net/ 2008/10/08/hello-clearclick-goodbye-clickjacking/, 10 2008.
26. G. Maone. X-frame-options in firefox. http://hackademix.net/2009/01/29/x- frame-options-in-firefox/, 2009.
27. Microsoft. IE8 Clickjacking Defense. http://blogs.msdn.com/ie/archive/ 2009/01/27/ie8-security-part-vii-clickjacking-defenses. aspx, 01 2009.
28. Microsoft Corporation. Security attribute (frame, iframe, htmldocument constructor). http://msdn.microsoft.com/en-us/library/ms534622(VS.85).aspx.
29. A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware in the web. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2006, San Diego, California, USA, 2006.
30. Mozilla Foundation. https://bugzilla.mozilla.org/show-bug.cgi?id=154957, 2002.
31. J. Nielsen. The same origin policy. http://www.mozilla.org/projects/ security/components/same-origin.html, 2001.
32. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In HotBots'07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pages 4-4, Berkeley, CA, USA, 2007. USENIX Association.
33. F. Ricca and P. Tonella. Analysis and testing of web applications. In ICSE '01: Proceedings of the 23rd International Conference on Software Engineering, pages 25-34, Washington, DC, USA, 2001. IEEE Computer Society.
34. US-CERT. CVE-2008-4503: Adobe Flash Player Clickjacking Vulnerability. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4503, 10 2008.
35. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2007, San Diego, California, USA, 28th February - 2nd March 2007, 2007.
36. Y.-M. Wang, D. Beck, X. Jiang, and R. Roussev. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In IN NDSS, 2006.
37. G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. SIGPLAN Not., 42(6):32-41, 2007.
38. G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic test input generation for web applications. In ISSTA '08: Proceedings of the 2008 international symposium on Software testing and analysis, pages 249-260, New York, NY, USA, 2008. ACM.
39. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In USENIX-SS'06: Proceedings of the 15th conference on USENIX Security Symposium, Berkeley, CA, USA, 2006. USENIX Association.
40. M. Zalewski. Browser security handbook, part 2. http://code.google.com/p/ browsersec/wiki/Part2#Arbitrary-page-mashups-UI-redressing), 2008.
41. M. Zalewski. Dealing with UI redress vulnerabilities inherent to the current web. http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2008-September/ 016284.html, 09 2008.