Tuesday, November 7, 2017

HTML5 Drag and Drop abuse with ClickJacking

We came across interesting observation/article over here

https://medium.com/@arbazhussain/weaponizing-clickjacking-attack-with-click-content-jacking-ab50cb6a37ed

It is possible to Hijack content by click jacking by loading two frames coming from the same domains. If domain is the same then it is possible to drag and drop API to function between two frames. Hence, it is possible to force victim to do “drag-and-drop” followed by a Click. It can lead to “Click Content Jacking” as concept outlined in the article.