This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
View analytic
Friday, August 23 • 2:05pm - 2:35pm
Clickjacking Protection Under Non-trivial Circumstances

Sign up or log in to save this to your schedule and see who's attending!

An important and timely attack technique on the Web is Clickjacking (also called UI redressing), in which an attacker tricks an unsuspicious victim into clicking on a specific element without the victim's explicit consent. Many web masters deployed different countermeasures to this kind of attack to protect their websites from being exploitable. Based on our paper [1], this talk gives an overview of the currently available countermeasures. Thereby, it demonstrates that these countermeasures are either not applicable to many of the possible use cases or are vulnerable to different kinds of attacks. Among other bypasses of state-of-the-art protection mechanisms we present a technique we call Nested Clickjacking that enables us to perform Clickjacking against the social network Google+ (despite of deployed countermeasures). Furthermore, we present the results of a large scale empirical study on the usage of current anti-clickjacking mechanisms on about 2 million web pages. The results of our analysis show that about 15 % of the analyzed web sites deploy countermeasures against Clickjacking.

After exploring the shortcomings and limitations, we present a novel approach that is capable of defending a Web site against current attacks and that is applicable to many scenarios where traditional countermeasures cannot be used.

[1] Sebastian Lekies, Mario Heiderich, Dennis Appelt, Thorsten Holz, and Martin Johns. On the fragility and limitations of current browser-provided clickjacking protection schemes. In WOOT, pages 53–63, 2012.


Sebastian Lekies

Sebastian Lekies is a PhD candidate at SAP and the University of Bochum. His main field of research is Web application security.  Thereby, he mainly focuses on client-side Web attacks such as Cross-Site Scripting, ClickJacking, DNS-Rebinding, Cross-Site Request Forgery, etc.  He regularly publishes his work at academic and non-academic security conferences such as CCS, Usenix Security, Blackhat, OWASP Appsec, Deepsec, etc.
avatar for Ben Stock

Ben Stock

Ben Stock studied for his Bachelor at the University of Mannheim and | advanced to Technische Universität Darmstadt to graduate with a Master's | degree in IT security. His earlier work was mainly in the area of malware | and his Bachelor thesis on the Waledac botnet was awarded the CAST e.V. | award for best IT security thesis in 2010. He also played a key role in | the takedown of the Waledac botnet nowadays known as Microsoft operation... Read More →

Friday August 23, 2013 2:05pm - 2:35pm
Großer Saal