The Difference Between CSRF and Clickjacking

By Daniel Miessler on October 9th, 2008: Tagged as CSRF | Information Security

This might be obvious to those most familiar with CSRF and Clickjacking, but for those just getting a handle on it, here’s a short explanation of a fundamental difference between the two issues.

CSRF is your browser doing things on your behalf, without you clicking on something directly. A good example of this is your browser loading every image on a hostile website, and having one of those images be an “action” rather than an image. The point is that with CSRF you didn’t really do anything except load the page, and the browser then takes over from there to manifest the vulnerability.

With Clickjacking the user actually does actively interact with something, but the action itself can be “hijacked” by placing a layer between the user and the legitimate action. So imagine that you in a room with an apple on a pedestal, and as you reach for the apple you break an infrared laser beam and open a trap door.

You really did go for the apple with your own hand (unlike CSRF), but in the process you transparently triggered another action that you may not like. The trick for the attacker (using that analogy) is rigging up different types of triggers (infrared lasers) and actions (trapdoor).

Links

http://ha.ckers.org/blog/20081007/clickjacking-details/

  • Digg
  • Reddit
  • StumbleUpon
  • description
  • Google
  • del.icio.us
  • TwitThis
  • Facebook
  • MySpace
  • E-mail this story to a friend!
  • Print this article!

Viewing 1 Comment

    • ^
    • v

    "For the moment, the best defense against clickjacking attacks is to use Firefox with the NoScript add-on installed. Users running that combination will be safe, said Hansen, against "a very good chunk of the issues, 99.99% at this point.""


    http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Spam%2C+Malware+and+Vulnerabilities&articleId=9115700&taxonomyId=85&pageNumber=2


    -=T=-

 

Trackbacks

(Trackback URL)

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus

My Twitter Microblog

    Discovered Content


    About dmiessler.com

    This site is an avatar for my own self-assigned life purpose--an attempt to model the world in the most accurate way possible, and to do so without bias or fear of unpleasant truth. I desire to develop, articulate, and perpetually improve models of how things work, and then to use that understanding to increase happiness and reduce suffering. I seek those on similar paths and thrive on sharing an appreciation of the interesting and beautiful with others.



    Blog
    Study
    Writing
    Infosec
    Technology
    Politics

            

    Top Original Content


    Security & Technology

    Philosophy & Science

    Culture & Society

    Blog Archives