Clicking to the Past

Clicking to the Past
Chris Wysopal, 2008-10-21

When the first details trickled out about a new attack, dubbed “clickjacking” by the researchers who found it, the descriptions made me think of the tricks I used to pull during penetration tests ten years ago to get administrator privileges: Tricking the user into issuing a command on an attacker’s behalf is one of the oldest attack vectors in the book.

Colapse all | Post comment

Clicking to the Past 2008-10-29
Anonymous

As you said,
"In the end, browser makers and plug-in developers need to find a way -- even if it inhibits design flexibility -- to let the user trust that what they see is what they will get."

So for the old technique to trick an admin with a command line interface, is there any good way to "let...

[ more ] [ reply ]

Clicking to the Past 2008-11-19
Anonymous (1 replies)

I don't know about you but I don't make a habit of opening mysterious archive files from unknown sources and then extracting them, as root(/bin:/sbin/...), to directories in my path. As for the mysterious and omnipotent button on my banks website, does this subversive little button also magically ex...

[ more ] [ reply ]

Re: Clicking to the Past 2008-11-19
Anonymous

Heheh no of course not an your entirely right. Ways mentioned here only work on those in need of a serious IT clue bag. ...

[ more ] [ reply ]