UI Redress and automated clicking - javascript

There is one thing I don't understand about the UI Redressing attack. Basically what I understand is:
1- The user clicks on a external URL
2- The attackers webpage opens. Inside this webpage, the original webpage is loaded as an iframe in a transparent manner.
3- As the user interacts with the attackers webpage he will actually be interacting with the transparent iframe.
Here is where I am confused. Why does the user even need to interact with the loaded webpage? Once the inner iframe is loaded you can have a javascript code to automate clicks on the page. Since this is all happening on the victims browser the target site will receive the victims session cookie and assume everythings fine.
Am I missing something here? Thanks in advance
Note: Please note this is a UI Redressing attack also known as click-jacking. This is different than phishing attacks.

The user wants to interact with the loaded webpage, because the user is not aware they are visiting a fake (inauthentic) page. I'm not 100% certain about the javascript, but I'm pretty sure the attacker wants to log the user's activity (e.g, keystrokes for a password).

Related

How to use reCAPTCHA as pop up window instead of part of the web?

I made a webpage which can provide some direct downloads. Therefore I only want real human, not crawler, to download my files. I tried to use Google reCAPTCHA but it is part of the webpage - visitors can still use the download links and doesn't have to worry about the reCAPTCHA at all. Is there a way to mandate visitors to pass the verification first? For example, is it possible to pop up reCAPTCHA before the whole page is loaded? If that's doable, how can I do it? Thanks!
What I can recommend here is the captcha form be on the current page that you have and create a new page with the download links that's not indexable.
Upon authorizing the captcha code, use header('Location: download.php'); or something similar to redirect the user.
A captcha before loading a webpage is possible, but it always uses client side code such as javascript which bots can easily bypass.

iframe calls by user or server

I am quite new to web programming and trying to get my head around iframes.
So, let us say I have an iframe on my webpage (which is on a server) to the popular bbc site as follows:
<iframe src="http://www.bbc.co.uk"></iframe>
Now, when the user goes to my page, the iframe loads - but, who is making the calls within the iFrame? (i.e the BBC content?) Is it my server or the user?
I guess another way to ask the question is who's IP will bbc's log see in this case? the web servers or the users IP?
Stupid question I suppose, but I just am confused!
The user's web browser would still be making the request.
You can use your browser's developer tools to see this happen and confirm (they usually pop up by pressing F12). Please become comfortable with them as they will be one of your trusty tools for web development in the future. :)
So to answer your question. Regardless of where the page holding the iframe lives, ultimately the user is still making the request therefore their IP should show up.
Your visitor's browser will simply get a whole HTML page from your server and after that it's up to the browser to make do. As a result, all calls like external scripts or images but also iframes will be made by the client.

How to run JavaScript and click button

I have the next task - I have a page where we have some interaction logic:
After a user clicks a button, my script redirects the user to another site where it must be populate 2 textfields then click button, after redirect to new page it must click on another button.
My project is based on ASP.NET MVC4.
My questions are:
May I do all of this?
If yes, how can I redirect to another page and run my script
P.S.: Second web site isn't my site and everything I know is id of buttons where I need to click.
Elaborating on my comment
You cannot do this in a normal browser. You could write a bookmarklet or two that would navigate and click but there is no script you can write in a web page that will do what you want for security reasons. A long time ago, it was possible in IE to load a banking site into an iFrame and script and monitor user interaction to steal credentials. This has been blocked.
If you save an HTML page with the extension HTA, it can be loaded from harddisk in windows and will have relaxed security so you could load the other site into an iFrame and script the interaction. This is likely not what you want.
The last method is to use for example CURL to get the foreign page, insert stuff and submit the form to the foreign site and return the result. This is not recommended either.
So the question to you is: Why do you need this and are there other ways to do what you want
1) location.href = "http://another.page.com"
2) impossible for security purposes

Stop Javascript Redirect in Pop-Up Window

I'm using the Telerik RadWindow control in one of my applications. When a user wants to authorize Twitter for the application the window displays the OAuth dialog for Twitter.
However, each time I display the pop-up for Twitter OAuth, or even just the plain Twitter page, the entire browser is redirected.
The control works just fine when the URL is pointed at a site other than Twitter. I'd like to see if I can block that redirect, or if perhaps there's an easier way to accomplish the OAuth confirmation. Any advice on how to implement this functionality would be greatly appreciated.
Thanks in advance.
This behavior is probably caused by Twitter. In fact, it should happen on many other sites as well (Facebook and similar). To prevent malicious sites from stealing user passwords, the login page detects if it is displayed in an inline frame (IFRAME element, such as the one used in RadWindow) and if it is, the whole browser window is redirected. This way they can ensure that no rogue JavaScript will be running while the user enters their username and password.
Twitter has properly created their authorization page to prevent cross-site scripting attacks, which means you can't embed it in a frame, or javascript pop-up.
Unfortunately, the only other way to "authorize" is a full redirect, or with a pop-up window, assuming your users allow pop-up windows.
The problem with the pop-up is that you then need a way to "close" it when twitter redirects back to your application. It can be done, but it's a bit tricky to do and who knows if it'd work in multiple browsers. Best to just let your site do a full redirect for now.

Loading js for Facebook Connect on demand

Our site uses Facebook Connect to allow users to post updates to their Facebook. The javascript that allows this has to be loaded directly through Facebook's Feature loader, and we had been loading it on every page where a user might want to connect to Facebook. Unfortunately, because some users have Facebook blocked at their workplace, this is causing our site to hang for those users.
Ideally, what we'd like to do is to load the js through the feature loader only just before it is actually needed. However, we do not know whether the feature will be needed until after the page on which it will be used is already loaded. Specifically, a user will open up a dialog box and check "publish to facebook" before submitting a form by AJAX (but NOT leaving the page). It is at this point that we'd like both to load the Facebook js, and immediately execute the code to bring up their dialog box. Is there a reasonable way to do this?
Essentially what you want to do is load the js on demand after the page has already been loaded. This is certainly doable; there is a decent article that summarizes how you might accomplish it here:
http://ajaxpatterns.org/On-Demand_Javascript
I also like the following little functions from phpjs.org:
http://phpjs.org/functions/require_once:503
http://phpjs.org/functions/include_once:434
http://phpjs.org/functions/include:433

Categories