Trick users and bypass warnings – Modern SVG Clickjacking attacks
6 days ago
- #SVG
- #Clickjacking
- #Security
- Introduction to SVG clickjacking, a new technique enabling complex interactive attacks and data exfiltration.
- Explanation of Liquid SVGs and their role in creating realistic refraction effects without canvas or shaders.
- Demonstration of SVG filters working on cross-origin iframes, leading to potential security vulnerabilities.
- Overview of useful SVG filter elements like feImage, feFlood, feOffset, and feDisplacementMap for building attack primitives.
- Example of a fake captcha attack using feDisplacementMap to trick users into retyping sensitive information.
- Technique for hiding grey placeholder text in inputs using feComposite and feMorphology to mask unwanted text.
- Pixel reading method to detect and respond to user interactions within an iframe, enabling dynamic attacks.
- Implementation of logic gates (AND, OR, NOT, etc.) within SVG filters to create complex conditional attacks.
- Case study of a multi-step clickjacking attack on Google Docs, demonstrating real-world application and impact.
- QR code generation within SVG filters for data exfiltration, leveraging pre-calculated error correction tables.
- Discussion of the novelty of the SVG clickjacking technique and its potential for future security research.