TY - GEN
T1 - Clickjuggler
T2 - 2014 12th Annual Conference on Privacy, Security and Trust, PST 2014
AU - Takamatsu, Yusuke
AU - Kono, Kenji
PY - 2014/1/1
Y1 - 2014/1/1
N2 - Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking for defenses against clickjacking during the development. Clickjuggler generates clickjacking attacks, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the clickjacking vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on clickjacking is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can check for the clickjacking vulnerabilities in 4 real-world web applications.
AB - Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking for defenses against clickjacking during the development. Clickjuggler generates clickjacking attacks, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the clickjacking vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on clickjacking is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can check for the clickjacking vulnerabilities in 4 real-world web applications.
UR - http://www.scopus.com/inward/record.url?scp=84910052941&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84910052941&partnerID=8YFLogxK
U2 - 10.1109/PST.2014.6890943
DO - 10.1109/PST.2014.6890943
M3 - Conference contribution
AN - SCOPUS:84910052941
T3 - 2014 12th Annual Conference on Privacy, Security and Trust, PST 2014
SP - 224
EP - 231
BT - 2014 12th Annual Conference on Privacy, Security and Trust, PST 2014
A2 - Miri, Ali
A2 - Josang, Audun
A2 - Garcia-Alfaro, Joaquin
A2 - Hengartner, Urs
A2 - Huang, Nen-Fu
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 23 July 2014 through 24 July 2014
ER -