Lecture 24: User Interface (UI) Attacks

Note: Together, lectures 23 and 24 cover three topics (CSRF, Impersonation Attacks, UI Attacks). Each topic is about 30-35 minutes long.


How does clickjacking subvert the same-origin policy?


Clickjacking Defenses

(True/false) If we enabled dialogue boxes asking for confirmation on every website, clickjacking attacks would never work.

(True/false) Clickjacking attacks can only happen when you are visiting an attacker’s website.

Defense: Framebusting

Defense: Ensuring Visual Integrity

Defense: Enforcing Temporal Integrity

Defense: X-Frames-Options

Browser-in-Browser Attack