Identified in 2008, click-jacking may not be the latest in web app vulnerability discoveries, but it’s one that continues to exist on some of the top websites around the world. Clickjacking is an attack that tricks a web user into clicking a button, a link or a picture, etc. that the web user didn’t intend to click, typically by overlaying the web page with an iframe. This malicious technique can potentially expose confidential information or, less commonly, take control of the user’s computer. For example, on Facebook, a clickjack can lead to an unauthorized user spamming the entire network of friends from their account.
What’s particularly frustrating is that framebusting offers an easy fix – involving just three simple lines of code – and yet year after year, the same websites are dogged by this moldy vulnerability. During this session, a member of Qualys’ security research team will share information on the scope of this vulnerability across some of the top websites, as well as recommendations on how to put the right countermeasures in place to avoid being the next click-jacking victim.
- Learn more about the risks associated with clickjacking
- Determine how/if your own web servers and apps are exposed
- Understand how to implement framebusting techniques
About Frank Catucci
Frank Catucci is the Director of Web Application Security and a SME for Qualys. Aside from his daily Web Application Scanning and Application Security duties, Frank also conducts security research, freelance penetration testing, and often speaks at information security conferences and events such as BSides, OWASP, ISSA, etc.
About Daniel Yang
As a Web Application Security Engineer at Qualys, Daniel Yang spends most of his time researching and evaluating the latest vulnerabilities while collecting real-time web performance data to better secure our customers’ web applications and environments. As an avid pen tester and security bug hunter, Daniel has discovered multiple vulnerabilities on some of the most popular web applications such as Joomla, PHPBB, Moodle and more. You can read more about Daniel’s research on the Qualys Community blog.