Scenaro : 1. Victim opens the attacker’s web site. 2. Attacker sets up a web site which contain interesting and attractive content like ‘Do you want to make $1000 in a day? 3. Victim clicks to the interesting and attractive content URL. 4. Attacker creates a transparent ‘iframe’ in front of the URL which the victim attempts to click, so the victim thinks that he/she clicks on the ‘Do you want to make $1000 in a day?’ URL but actually he/she clicks on the content or URL that exists in the transparent ‘iframe’ which is setup by the attacker. What is the name of the attack which is mentioned in the scenario?
Scenaro : 1. Victim opens the attacker’s web site.
2. Attacker sets up a web site which contain interesting and attractive content like ‘Do you want to make $1000 in a day?
3. Victim clicks to the interesting and attractive content URL.
4. Attacker creates a transparent ‘iframe’ in front of the URL which the victim attempts to click, so the victim thinks that he/she clicks on the ‘Do you want to make $1000 in a day?’ URL but actually he/she clicks on the content or URL that exists in the transparent ‘iframe’ which is setup by the attacker. What is the name of the attack which is mentioned in the scenario?
Option 1 : Clickjacking attack
Option 2 : Session Fixation
Option 3 : HTML injection
Option 4 : HTTP parameter Pollution
1. Clickjacking attack
Clickjacking is an attack that tricks a user into clicking a web page element which is invisible or disguised as another element. this will cause users to unwittingly download malware, visit malicious sites , provide credentials or sensitive information, transfer money, or purchase products online.
Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they’re clicking the visible page but actually they’re clicking an invisible element within the additional page transposed on top of it.
The invisible page might be a malicious page, or a legitimate page the user didn’t shall visit – for instance , a page on the user’s banking site that authorizes the transfer of cash .
There are several variations of the clickjacking attack, such as:
- Likejacking – a way during which the Facebook “Like” button is manipulated, causing users to “like” a page they really didn’t shall like.
- Cursorjacking – a UI redressing technique that changes the cursor for the position the user perceives to a different position. Cursorjacking relies on vulnerabilities in Flash and therefore the Firefox browser, which have now been fixed.
2. Session Fixation
Session Fixation is an attack that allows an attacker to hijack a legitimate user session. The attack explores a limitation within the way the online application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a replacement session ID, making it possible to use an existent session ID. The attack consists of obtaining a legitimate session ID (e.g. by connecting to the application), inducing a user to authenticate himself thereupon session ID, then hijacking the user-validated session by the knowledge of the used session ID. The attacker has got to provide a legitimate Web application session ID and check out to form the victim’s browser use it.
3. HTML injection
Hypertext terminology (HTML) injection may be a technique wont to cash in of non-validated input to switch an internet page presented by an internet application to its users. Attackers cash in of the very fact that the content of an internet page is usually associated with a previous interaction with users. When applications fail to validate user data, an attacker can send HTML-fomatted text to switch site content that gets presented to other users. A specifically crafted query can cause inclusion within the website of attacker-controlled HTML elements which change the way the appliance content gets exposed to the online .
HTML is that the language that determines how application data (like a products’ catalog) gets presented to users in their browser . This language contains visualization commands, just like the color of the page’s background and therefore the size of embedded pictures. It also contains links to other sites , and extra commands intended for the user’s browser. Furthermore, automated tools that collect useful information from the online on behalf of users often do so by systematically accessing and parsing the relevant information within the application’s HTML pages.
In modern interactive sites , the content of an internet page often reflects the results of processing previous user actions. If the user’s input isn’t validated and therefore the application is vulnerable, an attacker can craft and send input to the appliance that lets him inject pieces of his HTML code into the HTML content of the application’s response.
HTML injection attack is closely associated with Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, because the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input.
A simple example of potential HTML Injection is an application’s “Search” form, during which the user enters a question text. When the user submits the query, the appliance responds by dynamically generating an internet page that shows matching results. This results page often shows the first query text to let the user see the context of those results. If the embedded query text contains syntactically correct HTML, it’s going to add attacker-controlled text, images and links to the present generated response page.
4. HTTP parameter Pollution
HTTP Parameter Pollution (HPP) may be a Web attack evasion technique that permits an attacker to craft a HTTP request so as to control or retrieve hidden information. This evasion technique is predicated on splitting an attack vector between multiple instances of a parameter with an equivalent name. Since none of the relevant HTTP RFCs define the semantics of HTTP parameter manipulation, each web application delivery platform may affect it differently. especially , some environments process such requests by concatenating the values taken from all instances of a parameter name within the request. This behavior is abused by the attacker so as to bypass pattern-based security mechanisms.