Another scriptless clickjacking vector

Recently, one of my colleagues showed to me that Google do the following trick on their search results page. If you search for something, initially search results contains html with anchors we’d expect:

<a class="l" onmousedown="return rwt(this,'','','','1','AFQjCNGGfyJjOyiWYPB3FW-h7Pt6A5uwlA','4k2v33QNU7tijpC6ZLriyQ','0CDIQFjAA','','',event)" 
href="http://en.wikipedia.org/wiki/Cross-site_scripting"><em>Cross-site scripting</em> - Wikipedia, the free encyclopedia</a>

But have you noted onmousedown event handler? Let’s see what it does – right click on a link and examine its html again:

<a class="l" onmousedown="return rwt(this,'','','','1','AFQjCNGGfyJjOyiWYPB3FW-h7Pt6A5uwlA','4k2v33QNU7tijpC6ZLriyQ','0CDIQFjAA','','',event)" 
href="/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=1&amp;cad=rja&amp;ved=0CDIQFjAA&amp;url=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FCross-site_scripting&amp;ei=6oZYUcKUA4WSiALF4YHYDQ&amp;usg=AFQjCNGGfyJjOyiWYPB3FW-h7Pt6A5uwlA&amp;sig2=4k2v33QNU7tijpC6ZLriyQ"><em>Cross-site scripting</em> - Wikipedia, the free encyclopedia</a>

Now it points to a different location! Also note that before we click on it – status bar, at the bottom, showed us a link to Wikipedia instead of google’s /url page…

It is a clickjacking attack, isn’t it? Of course Google is a good boy and will navigate us to Wikipedia eventually, but first it will log our navigation through /url page.

Due to their high practical impact, clickjacking attacks have attracted a lot of attention from the security community members. If you recall, I’ve wrote several blog posts dedicated to this topic, and here are some more links for you:

A Solution for the Automated Detection of Clickjacking Attacks

Scriptless Attacks – Stealing the Pie Without Touching the Sill

Clickjacking in LinkedIn

Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control

UI Redressing Mayhem: Identification Attacks and UI Redressing in Chrome

Hyperlink Spoofing and the Modern Web

Following the developments and published work mentioned above, a plethora of more or less feasible defense techniques has been proposed. All these attempts have a clear goal: stopping clickjacking attacks. In general, one can say that if an attacker manages to execute JavaScript on the target domain, then he can control the whole Web page navigated at by the victim. Therefore, a recommended mitigation strategy would be to deactivate/limit JavaScript code execution for security reasons, employing tools such as NoScript, Content Security Policy (CSP), or, alternatively, making use of HTML5-sandboxed Iframes.

In this blog post I’d like to evaluate whether restricting scripting content is sufficient for attack mitigation by examining it in practice. For the rest of the article I assume that an attacker has access to DOM and/or CSS of the victim page, but scripting is completely disabled.

My first attempt was to stack two anchor links one over another and give top link (with url to Wikipedia) style="pointer-events:none;". Unfortunately it didn’t work out – browser revealed bottom link url to the user via status bar.

Another idea was to move top link offscreen once user hover it or made it active (element became active on mousedown event), but again it fails because top anchor was either moved away too soon (in case of :hover state) and podlipensky.com showed in status bar. Or it was moved too late (in case of :active) and once user release mouse key the navigation to Wikipedia occurs.

So I need to substitute links after user hover the anchor (so status bar will show url to Wikipedia), but before mousedownevent, so browser will navigate user to my lovely blog. And in order to implement it by pure CSS we can use transitions to do the trick:

.top-link {
  position:absolute;
  z-index: 2;
  top: 0;
  left: 0;
  transition: all 1s;
  transition-delay: 0.5s;
}

Amazingly, but it works pretty well – user see url to Wikipedia in browser’s status bar, but once he click on it – he find himself on podlipensky.com
This is just one of the attack vectors, and I think there are more. Checkout html5sec.org for more examples and share your own (if you have one). The more hacks we publish, the safer Web will be.

  • Related posts
  • No related posts found