Lecture 24: User Interface (UI) Attacks

Note: Together, lectures 23 and 24 cover three topics (CSRF, Impersonation Attacks, UI Attacks). Each topic is about 30-35 minutes long.

• Slides
• Playlist (length: 33:48)

Clickjacking

How does clickjacking subvert the same-origin policy?

The user is interacting with a fake attacker-controlled user interface, which runs with the attacker’s origin, not the origin of the legitimate website.

Cursorjacking

Clickjacking Defenses

(True/false) If we enabled dialogue boxes asking for confirmation on every website, clickjacking attacks would never work.

False. Careless users could still unintended clicks and confirm them if they don’t check the dialogue box carefully. Also, attackers could create their own fake confirmation boxes.

(True/false) Clickjacking attacks can only happen when you are visiting an attacker’s website.

False. A legitimate website could load a frame that tries to perform a clickjacking attack. For example, a streaming website might load an advertisement that shows you a fake Download button.

Defense: Framebusting

Defense: Ensuring Visual Integrity

Defense: Enforcing Temporal Integrity

Defense: X-Frames-Options

Browser-in-Browser Attack