Server-side approaches clickjacking detectionbrad hill
Server-side approaches to clickjacking detection
Brad Hill, PayPal
• Also doesn’t stop pop-under-and-close attacks
Drawbacks of client-enforced screenshot approach
• Incomplete coverage of attack scenarios – Fake mouse cursor, attention stealing attacksAdaptive UI Randomization
• Clickjacking attacks are still subject to the read restrictions of the same-origin policy
• Attacker can profit even at a small success rate
• Few interfaces allow randomization among a large number of locations without creating a very poor user experience
“Bucketizing”
• Associate possible clickjacking targets with a beneficiary or beneficiaries
Look at first-click miss rates,
bucket-by-bucket
• Can’t distinguish individual clickjacking attempts
• But a campaign of clickjacking will quickly
show up – the missed click rate for that bucket will rise above the natural missed click rate
|
|
|---|
| Clickjacking attempts per 100 clicks |
|
|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
|---|
| M=3%, σ=1% |
|
|---|
Pretty good…
10
Conversion Rate Improvement with clickjacking before detection at 2σ8
| Percentage increase in conversion |
|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
|---|
N (number of randomized locations)
| M=3%, σ=1% |
|
|---|
• Instead of turning off service, can trigger a switch to a functional, if less optimal, interface that is more clickjacking resistant
– Popup in dedicated context with X-Frame-Options – Add a CAPTCHA or re-verify credentials
– These responses can be completely automated, and combined with manual investigation according to standard anti-fraud practices
Weaknesses
+
