Over 10 Million Study Resources Now at Your Fingertips

Download as :
Rating : ⭐⭐⭐⭐⭐
Price : $10.99
Pages: 24

Server-side approaches clickjacking detectionbrad hill

Server-side approaches to clickjacking detection

Brad Hill, PayPal

• Also doesn’t stop pop-under-and-close attacks

Drawbacks of client-enforced screenshot approach
• Incomplete coverage of attack scenarios – Fake mouse cursor, attention stealing attacks

Adaptive UI Randomization

• Clickjacking attacks are still subject to the read restrictions of the same-origin policy

• Attacker can profit even at a small success rate

• Few interfaces allow randomization among a large number of locations without creating a very poor user experience


• Associate possible clickjacking targets with a beneficiary or beneficiaries

Look at first-click miss rates,


• Can’t distinguish individual clickjacking attempts

• But a campaign of clickjacking will quickly
show up – the missed click rate for that bucket will rise above the natural missed click rate


Sensitivity of Clickjacking Detection
at two standard deviations from natural missed click rate

Clickjacking attempts per 100 clicks



1 2 3 4 5 6 7 8 9
M=3%, σ=1%

M=25%, σ=2%

Pretty good…

Conversion Rate Improvement with clickjacking before detection at 2σ


Percentage increase in conversion
1 2 3 4 5 6 7 8 9

N (number of randomized locations)

M=3%, σ=1%

M=25%, σ=2%

• Instead of turning off service, can trigger a switch to a functional, if less optimal, interface that is more clickjacking resistant
– Popup in dedicated context with X-Frame-Options – Add a CAPTCHA or re-verify credentials
– These responses can be completely automated, and combined with manual investigation according to standard anti-fraud practices



How It Works
Login account
Login Your Account
Add to cart
Add to Cart
Make payment
Document download
Download File
PageId: ELIC53BF41
Uploaded by :
Page 1 Preview
serverside approaches clickjacking detectionbrad h
Sell Your Old Documents & Earn Wallet Balance