Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Bypassing NoScript's ClearClick?
Posted by: tx
Date: October 10, 2008 01:32PM

Hey All,
Can some other people verify this:

Basically I made this page while playing with Ronald's Clickjack/UI Redressing poc (hence why it looks very similar). The form login/submit button is replaced with an iframe that contains an image of the button that is actually a link which points to Google's logout url (a very simple GET CSRF). In other words, clicking on the button without noscript should log the user out of google, but with noscripts new clearclick protection a warning should instead be displayed.

I was testing in FF 3.0.3, with the latest version of NoScript (1.8.2.1) with both tx.lowtech-labs.org and google.com listed as untrusted (so no javascript running).
Anyway, on this page: http://tx.lowtech-labs.org/clickjack.php
Clicking the button causes no warnings in noscript and logs the user out of google.
This page, however: http://tx.lowtech-labs.org/clickjack2.php does cause a warning to display. The only difference between the two is the size of the png file I'm using as a button image, the first one is almost exactly the size of the original button, but the second is a bit larger.

I tried reproducing this from another computer, also running the same version of Firefox and Noscript and I was unable; so I'm trying to figure out what may be different between the two setups, and if anyone else can reproduce this.

Also, this probably doesn't work on IE or Safari or anything due to CSS differences, but that doesn't really matter because you can't install NoScript on those browsers anyway.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Bypassing NoScript's ClearClick?
Posted by: ma1
Date: October 10, 2008 07:07PM

Hi tx,

Thank you for trying, but how does this qualify as "clickjacking", exactly?

1. both the frames are on the same domain
2. the two buttons are identical
3. there's no form involved

In other words, what's the advantage for the attacker, compared to putting the logout link directly on the main page, with no frames involved?
Clickjacking is different from CSRF, albeit similar: it allows to work-around traditional CSRF protections (like origin checks or nonces) because the clicked object is the "legit" trigger on the legit site.
These are the specifics of clickjacking VS "traditional" CSRF like this.

If you're still curious about why ClearClick is not triggering, the answer descends directly from my observations above:

1. ClearClick checks cross-site frames and same-site/cross-site plugin content only: whatever you can do with same-site frames, you can do it more economically to the same effect with one single page.
2. ClearClick visually compares what you can see with what is underneath, i.e. the clicked element: if they're identical, why should you cover/hide/disguise the bottom?
3. If the clicked/keypressed thing is part of a form, ClearClick extends the comparison to the whole form (pending some max size limits) to prevent isolating a generic submit button from its context.

I'll try to post an article about the (simple, yet tricky) inner details of ClearClick on Hackademix ASAP.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Bypassing NoScript's ClearClick?
Posted by: tx
Date: October 10, 2008 07:20PM

Oh, totally granted. I wasn't really trying to imply that this is clickjacking. Even as a CSRF exploit, the fact of the matter is that there are _far_ easier ways to exploit that than embedding an iframe and overlaying it on a form submission button (esp. since it's GET based). This was merely the first step in a process, next step was to expand this into actual clickjacking.

My main interest was in the fact that NoScript doesn't warn against the first example, yet it does on the second even though they are practically the same thing. If I read your reply correctly, this is because in the second example the image is completely covering up the button (and a region of the page below the button), whereas in the first example the image is pretty much the exact size of the button.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Bypassing NoScript's ClearClick?
Posted by: TheInsider
Date: December 24, 2008 03:42PM

Hi Guys!

This is not about stealing credit or anything, it's about fixing stuff :)
This nice example wasn't displayed correctly in my FireFox 3.0.5 and my Internet Explorer 8 Beta 2.

I fixed it, the problem was the css value "top:14px;" instead of "top:4px;", my resolution is 1024*768 (it that may be the cause of the bug)

Now the "fake" Login button frame is on top of the original login button.

http://www.linkstofiles.com/aspect9/clickjack.htm

http://rafelivgi.blogspot.com
Aspect9 Founder & Chief Security Architect
------------------------------------------
My job is to assess not assassinate
You can spend your life reading what others write or you can spend your life writing for others to read, choose your destiny!

Options: ReplyQuote
Re: Bypassing NoScript's ClearClick?
Posted by: ma1
Date: April 11, 2009 05:01AM

@tx:
could you please tear down that old "PoC" of yours, since I still receive email message like the following:
Quote

Hello,
Just got your latest noscript update, but it still fails this site (no
warning given)
It's quite an annoyance having to explain yours is not clickjacking again and again, since your PoC says "clickjacking bypassing ClearClick".
Thanks...

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Bypassing NoScript's ClearClick?
Posted by: tx
Date: April 20, 2009 01:39AM

@mal: Sorry, got myself IP banned from ckers.org from my usual IP, not sure why. Anyway, I just saw your message I'll modify the page now.

-tx @ lowtech-labs.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.