"Security researcher Lyra Rebane has devised a novel clickjacking attack that relies on Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS). Rebane demonstrated the technique at BSides Tallinn in October and has now published a summary of her approach. The attack, which has yet to be fully mitigated, relies on the fact that SVG filters can leak information across origins, in violation of the web's same-origin policy."
"Clickjacking refers to various ways of tricking the user of an application or website into taking unintended action. Also known as a user-interface redress attack, it commonly involves manipulating interface elements so that user input can be redirected for nefarious purposes. The term was coined in 2008 by security researchers Jeremiah Grossman and Robert Hansen to describe a way to hijack mouse click events so they can be applied as desired by the attacker (e.g. to make the victim click a web page submit button)."
"Since then, various mitigations have been developed to reinforce the web's fundamental security model. These involve limiting how different origins (often in the form of web domains) can interact with one another. As detailed by OWASP, common defenses include: preventing browsers from loading pages in a frame using X-Frame-Options or Content Security Policy (frame-ancestors) HTTP headers; preventing session cookies from being included when a page gets loaded in a frame; and using JavaScript to prevent pages from being loaded in a frame."
A novel clickjacking attack uses Scalable Vector Graphics (SVG) and Cascading Style Sheets (CSS) to leak pixel data across origins. SVG filters can expose information from a framed page to the surrounding context, breaching the web's same-origin policy. The technique allowed an SVG/CSS recreation of a liquid-glass visual effect in an iframe to access pixels from the underlying main webpage. Common clickjacking defenses include X-Frame-Options or Content Security Policy (frame-ancestors), blocking session cookies in framed loads, and JavaScript frame-detection. Despite these defenses, new cross-origin attack variations continue to emerge, and the SVG/CSS filter leakage remains not fully mitigated.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]