WEKO3
アイテム
Detection of Visual Clickjacking Vulnerabilities in Incomplete Defenses
https://ipsj.ixsq.nii.ac.jp/records/142335
https://ipsj.ixsq.nii.ac.jp/records/14233555781bed-6691-4eee-a55e-1f24c92a1151
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-TACS0802003 (1.3 MB)
|
Copyright (c) 2015 by the Information Processing Society of Japan
|
|
| オープンアクセス | ||
| Item type | Trans(1) | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| 公開日 | 2015-06-16 | |||||||||
| タイトル | ||||||||||
| タイトル | Detection of Visual Clickjacking Vulnerabilities in Incomplete Defenses | |||||||||
| タイトル | ||||||||||
| 言語 | en | |||||||||
| タイトル | Detection of Visual Clickjacking Vulnerabilities in Incomplete Defenses | |||||||||
| 言語 | ||||||||||
| 言語 | eng | |||||||||
| キーワード | ||||||||||
| 主題Scheme | Other | |||||||||
| 主題 | [セキュリティ] clickjacking, cursorjacking, web security, web application | |||||||||
| 資源タイプ | ||||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||||
| 資源タイプ | journal article | |||||||||
| 著者所属 | ||||||||||
| Keio University | ||||||||||
| 著者所属 | ||||||||||
| Keio University | ||||||||||
| 著者所属(英) | ||||||||||
| en | ||||||||||
| Keio University | ||||||||||
| 著者所属(英) | ||||||||||
| en | ||||||||||
| Keio University | ||||||||||
| 著者名 |
Yusuke, Takamatsu
× Yusuke, Takamatsu
× Kenji, Kono
|
|||||||||
| 著者名(英) |
Yusuke, Takamatsu
× Yusuke, Takamatsu
× Kenji, Kono
|
|||||||||
| 論文抄録 | ||||||||||
| 内容記述タイプ | Other | |||||||||
| 内容記述 | Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking attacks compromise visual integrity (called visual clickjacking) or condition integrity (called switchover clickjacking) to deceive victims. We address visual clickjacking in this paper. Visual clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking defenses against visual clickjacking during the development. Clickjuggler generates some types of visual clickjacking attack, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on a variety of visual clickjacking and evasion techniques is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can detect the visual clickjacking vulnerabilities in 4 real-world web applications and can detect the vulnerabilities in a shorter time than existing tools. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.23(2015) No.4(online) ------------------------------ |
|||||||||
| 論文抄録(英) | ||||||||||
| 内容記述タイプ | Other | |||||||||
| 内容記述 | Clickjacking is a new attack which exploits a vulnerability in web applications. It tricks victims into clicking on something different from what they perceive they are clicking on. The victims may reveal confidential information or start unintended online transactions. Clickjacking attacks compromise visual integrity (called visual clickjacking) or condition integrity (called switchover clickjacking) to deceive victims. We address visual clickjacking in this paper. Visual clickjacking can be prevented if appropriate countermeasures such as frame busting are implemented in web applications. However, the correct implementation is not easy. A trivial mistake in the implementation leads to evasion of the countermeasures. For the correct implementation, web developers must have intimate knowledge on evasion techniques of the countermeasures. In this paper, we propose Clickjuggler, an automated tool for checking defenses against visual clickjacking during the development. Clickjuggler generates some types of visual clickjacking attack, performs those attacks on web applications, and checks whether the attacks are successful or not. By automating the process of checking for the vulnerabilities, web developers are released from the burden of checking the correctness of their implementation. Unskillful developers can benefit from Clickjuggler since no special knowledge on a variety of visual clickjacking and evasion techniques is needed to use Clickjuggler. Our experimental results demonstrate that Clickjuggler can detect the visual clickjacking vulnerabilities in 4 real-world web applications and can detect the vulnerabilities in a shorter time than existing tools. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.23(2015) No.4(online) ------------------------------ |
|||||||||
| 書誌レコードID | ||||||||||
| 収録物識別子タイプ | NCID | |||||||||
| 収録物識別子 | AA11833852 | |||||||||
| 書誌情報 |
情報処理学会論文誌コンピューティングシステム(ACS) 巻 8, 号 2, 発行日 2015-06-16 |
|||||||||
| ISSN | ||||||||||
| 収録物識別子タイプ | ISSN | |||||||||
| 収録物識別子 | 1882-7829 | |||||||||
| 出版者 | ||||||||||
| 言語 | ja | |||||||||
| 出版者 | 情報処理学会 | |||||||||
