New CISPA demonstrator protects against clickjacking attacks
"Clickjacking is a combination of the words "click" and "hijacking". This is precisely what virtual scammers do: they lead the mouse clicks of unsuspecting website visitors to where they want them to go. This can be a "like" on someone else's social media page, as well as unwitting consent to download programs, disclose confidential information, or buy products online. This is accomplished because hackers overlay an additional invisible layer on top of the website interface displayed on users' screens, explains CISPA faculty member Dr. Ben Stock, on whose research the demonstrator is based. While users believe they are clicking on a button that directs them to a contest or survey, they are actually clicking to make a fake purchase, for example, and sending money to attackers.
The fact that such attacks can be successful is connected to the structure of the web. Modern websites usually contain code from various places. Third-party content is almost always included in the form of advertising, maps, or payment services, says Stock. Therefore, in order for users to view the website and all of its services, the browser must first gather information from various web servers.
The way in which content may be embedded on websites must be carefully controlled, according to Stock. Otherwise, clickjacking attacks loom. "These can be prevented by site operators and developers incorporating two special security mechanisms that control uncontrolled embedding of their pages. X-Frame Options (XFO) and Content Security Policy (CSP)." However, only if the security mechanisms are also properly configured and if the browser - which ultimately has control - acts accordingly, are websites secure against the attacks.
The CISPA demonstrator "Dr. Headerson" draws on the research paper "A Tale of Two Headers: A Formal Analysis of Inconsistent Clickjacking Protection on the Web" by Stefano Calzavara and Alvise Rabitti of the Università Ca' Foscari in Venice and CISPA researchers Sebastian Roth, Dr. Ben Stock and Prof. Dr. Dr. h.c. Michael Backes. With the demonstrator, CISPA's scientific engineering team has transferred their research into a security tool that can be used by website developers, browser vendors and end users alike.