Security News New Attack "XSSJacking" Combines Clickjacking, Pastejacking, and Self-XSS

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
New Attack "XSSJacking" Combines Clickjacking, Pastejacking, and Self-XSS

Security researcher Dylan Ayrey detailed last week a new web-based attack named XSSJacking that combines three other techniques — Clickjacking, Pastejacking, and Self-XSS — to steal data from careless users.

Ayrey says XSSJacking can help attackers reach sensitive information for which they would normally need a more complex security flaw, such as a stored XSS (Cross-Site Scripting) or CSRF (Cross-Site Request Forgery), issues which most websites tend to fix when reported.

The attack is not fully-automated, as it still relies on social engineering, a reason why many of today's security bug bounty programs won't even consider it as a security flaw, Ayrey told Bleeping Computer in an email.

Some conditions must be met fo XSSJacking attacks
For an XSSJacking attack to take place, some conditions must be met, but in hindsight, all attacks, even CSRF and SQL injections, all need one or more special conditions.
For example, in the case of XSSJacking, the target website must be vulnerable to clickjacking.

Clickjacking is a technique that fools users into taking actions they didn't intend. For example, an attacker can place various buttons on a malicious website. On top of these buttons, he loads a portion of a legitimate website inside an iframe, and sets its opacity to 0.

When the user goes to click the button, he's actually clicking inside the hidden iframe. Speaking to Bleeping Computer, Ayrey says that if a user is logged into that website, he can take unwanted actions.

"Imagine the good-guy website had a 'Delete account' button, and imagine the evil website put a 'Click here for a prize' button directly under the iframed [and] now invisible 'Delete account' button," Ayrey said.

XSSJacking chains together three attack techniques
......
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top