Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Cross Site Display
Posted by: h0gar
Date: November 03, 2009 05:15PM

Hi guys.

After reading some stuff about click hijacking, I had a thought about a kind of vulnerability which doesn't fit in any other category of the forum.
The full article is on my blog: http://h0gar.net/?p=57

But here is an excerpt:

"Actually, we could just make it looking like they are dealing with a completely innocent website while they are dealing with another one. And this, by mixing the display/context.

To make it simple, here is an example:

Get a page with a “rate button” inside it. Put this page in an iframe within an under-control page. Put div layers over the iframe or use CSS clip to hide everything but the vote button. Then, build a new display around the iframe with the under-control page."

I guess it's possible to go quite far using this technique. Just require some free time and a little of intelligence.
And I'm actually surprised that I couldn't find anything talking about it...

Hope you find it interesting.

Cheers



Edited 2 time(s). Last edit at 11/03/2009 05:31PM by h0gar.

Options: ReplyQuote
Re: Cross Site Display
Posted by: tx
Date: November 03, 2009 05:47PM

Perhaps I missed something in your post, but it seems that you are just renaming clickjacking.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Cross Site Display
Posted by: h0gar
Date: November 03, 2009 06:18PM

Kind of, but it's not only concerning click. Ok my example may not be clear.

Another one. What if you just show the subscription form of a random website (with a decorated iframe), within your an under-control page, and ask for the users to subscribe on "your website"?

And actually, click hijacking -quickly said- is how to still user clicks.
Here, what I'm talking about, is how to mix the displays to confuse the user.

Options: ReplyQuote
Re: Cross Site Display
Posted by: sirdarckcat
Date: November 03, 2009 07:31PM

that is actually clickjacking.. but the name sucks haha, there was a better one.. "UI Redressing".

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Cross Site Display
Posted by: h0gar
Date: November 03, 2009 07:44PM

Oh damn :p. Seems like I just reinvented the wheel...

But still. Almost all websites are vulnerable to it. And? Who cares?
I'm sure I could build some "UI Redressing" for some big open-sources projects or even sla.ckers. With some time. May not be as efficient as a good old XSS/CSRF, but all "we need" is one successful shot.
Even so there are existing protections against that.

But not tonight...

PS: And "UI Redressing" does sound better than my "Cross Site Display"...



Edited 4 time(s). Last edit at 11/03/2009 07:52PM by h0gar.

Options: ReplyQuote
Re: Cross Site Display
Posted by: sirdarckcat
Date: November 03, 2009 08:37PM

I meant clickjacking name sucks since it´s not only clicks what you can hijack..

but yeah, it´s the same as this

greetz

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Cross Site Display
Posted by: Gareth Heyes
Date: November 04, 2009 02:06AM

From 2007:-

http://www.thespanner.co.uk/2007/09/28/openid-security-css-overlays/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Cross Site Display
Posted by: rvdh
Date: November 07, 2009 10:32AM

Don't worry, most stuff is re-invented. Everyone is eyeballing for vulnerabilities, few stones are left unturned.

Options: ReplyQuote
Re: Cross Site Display
Posted by: Gareth Heyes
Date: November 07, 2009 01:39PM

@rvdh

Yeah it is all the same, the technique has been around for years before it was "coined the term". A bit like Ajax.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Cross Site Display
Posted by: rvdh
Date: November 12, 2009 09:45AM

Yeah, I saw a page from 1998 last week that talked about getting the IP address with Java, which in 2006 re-emerged. :) Much is there, if one bothers to search.



Edited 1 time(s). Last edit at 11/12/2009 09:45AM by rvdh.

Options: ReplyQuote


Sorry, only registered users may post in this forum.