[WEB SECURITY] ClickJacking + CSRF attacking Web Application

MustLive mustlive at websecurity.com.ua
Fri Dec 12 11:23:29 EST 2008

Hello Jackson!

I looked at your video. It's nice video demonstration of an attack on
Joomla, but before I'll answer at your question (is it ClickJacking), I must
note about the video itself.

Some notes:

1. Video is working (Rafal said he cannot view it - it's possibly due lack
of the codec).

2. Video file (extracted from archive) is large. Yes, rar file is small, but
the avi file is large as for such short video. It's because of used codec.

3. Jackson, use more efficient codecs than Microsoft Video 1 for compression
of the video - like DivX or XviD. The result video file will be much

And one security note: you have vulnerability in your video :-) - it's
Information Leakage. You leaked your login and email. And if email is
admissible leakage (and common), than login is not admissible leakage (and
so it's security hole). Besides you leaked it total 7 logins and emails ;-).

> Not so much that it won't play it, because it does, but it's just
> "blank"...

Rafal, as I said, video is working. I think that reason why video isn't
working for you it is codec. Possibly you don't have Microsoft Video 1 codec
(and it's very likely on your Linux).

> Not sure if this is what people call click-jacking

Jack, it isn't ClickJacking. In your case you used CSRF or XSS hole in
Joomla for an attack and triggered this attack after click on the link. In
your case you can do it without any click (i.e automatically), just when
victim visits the page (with attacking code). ClickJacking technique need to
be used when click is required. In your case it's just CSRF or XSS attack
(and it'll be more effective when will be done automatically).


ClickJacking is nice technique, but there is another (which I developed)
more nicer technique - MouseOverJacking. If ClickJacking is first level of
tricky techniques of attack, than MouseOverJacking is next level of
techniques. In ClickJacking victim must make a click, but in
MouseOverJacking no click is required, just only mouse move ;-). Just one 
pixel move in any direction - and it'll trigger an attack.

I showed example of MouseOverJacking at 5th of September 2008 in DoS
vulnerability in Google Chrome (http://websecurity.com.ua/2413/), which was
a part of my project Day of bugs in Google Chrome. And it was earlier before
official announcement of ClickJacking. I called this attack DoS on MouseOver
(Google already fixed that hole). With time I'll do official announcement of
MouseOverJacking with examples of different attacks. You can consider this
post scriptum as pre-official announcement.

Best wishes & regards,
Administrator of Websecurity web site

> Not sure if this is what people call click-jacking or not, here's the
> video
> PoC I made.
> Video <http://www.hackers.web.id/clickjacking-joomla.rar>
> Thanks
> Jackson 

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list