The Net of Worms – ClickJacking Delivered Worm

When talking about ClickJacking, people will first think how to use it to Hijack Web Cam or microphone. Let’s forget about webcam jacking thingies this time. Been thinking of how to use iFrame redressing (ClickJacking) techniques to exploit web application security. Finally my mind lands to a word, which is known as ‘Worm’.

Just like the Click-Jacking style Joomla CMS hijackingCSRF and Automation are needed to infect blogs, CMS, forums, and etc. Possible? Yes indeed!

Scenario :

  • Victim log in to his/her blog, and does not sign out from it.
  • Victim visits a malicious site with Click-Jacking, any clicks there will trigger a CSRF attack which will attempt to insert a script into victims blog theme. (Just like Wordpress Theme Editor)
  • The script will generate an iFrame containing Click-Jacking
  • Now the victim’s blog become a zombie that will attempt to infect all his/her blog’s visitors blog.

Isn’t it lovely? Just a thought . . .

Posted in CSRF, Logical, click-jacking | 2 Comments »
Open a Page, Go To Jail

Inspired by RSnake article titled : “Click a Link, Go To Jail”, I wonder if we will go to jail by simply opening a page? I am not sure whether that will gonna happened or not. But my conclusion says maybe Yes! CSRF will be the answer. Read the rest of this entry »

Posted in CSRF, Concept, Logical | 2 Comments »