Clickjacking DevCon2011
-
Upload
krishna-t -
Category
Technology
-
view
3.315 -
download
4
Transcript of Clickjacking DevCon2011
Developer Conference 2011
MICROSOFT USER GROUP HYDERABAD
It is this easy to steal your click!
Krishna Chaitanya TSecurity & Privacy Research Lab, Infosys Labs
(Secure Web Development)
Microsoft MVP - Internet Explorer
http://novogeek.com | @novogeek
Agenda!
Your genuine web page can be victim as well! Lets secure!!
Saw these on Facebook?
Clickjacking
• Discovered in 2008-Robert Hansen, Jeremiah Grossman
• Forces a victim to unintentionally click on invisible page
• Made possible by overlaying transparent layers• Basic clickjacking:
– Positioning via CSS (JS not required!) – Follow mouse cursor via JS
• Advanced techniques:– Clickjacking + XSS– Clickjacking + CSRF– Clickjacking + HTML5 Drag/Drop API
The mischievous <iFrame> tag
• A web page can embed another web page via iframe• <iframe src="http://bing.com"></iframe>
• CSS opacity attribute: 1 = visible, 0 = invisible
Clickjacking using CSS & JS
demo
• Techniques for preventing your site from being framed
• Common frame busting code:
Frame Busting!
if (top != self) { //condition top.location = self.location; //counter action}
Survey
Acknowledgement:All survey content from Stanford Web Security Research Lab
What’s wrong?
• Walmart.com if (top.location != location) { if(document.referrer &&
document.referrer.indexOf("walmart.com") == -1){ top.location.replace(document.location.href); } }
• USBank.comif (self != top) {
var domain = getDomain(document.referrer);var okDomains = /usbank|localhost|usbnet/;domain.search(okDomains);if (matchDomain == -1) {
/* frame bust */ } }
• Many if(top.location != self.location) { parent.location = self.location; }
Error in Referrer checking. Attacker URL can be: http://www.attacker.com/walmart.com.html
Error in Referrer checking. Attacker URL can be: http://usbank.attacker.com
‘parent’ refers to the window available one level higher. So Double framing will break this.
Busting Frame busting!
HTML5 Sandbox<iframe sandbox src=“http://www.victim.com”>•JavaScript is disabled!•Prevents XSS•Prevents Defacement•Facilitates clickjacking!
XSS Filters• XSS filters in browsers block this
iframe!
<iframe src="http://www.example.org/?xyz=%3Cscript%20type=%22text/javascript%22%3Eif"></iframe>
Mobile sites• Non mobile sites do frame busting• What about their mobile versions?
onBeforeUnload Event<h1>www.attacker.com</h1><script>window.onbeforeunload = function() { return "Do you want to leave your favorite site?"; }</script><iframe src="http://www.paypal.com">
204-HTTP headervar prevent_bust = 0window.onbeforeunload = function() {kill_bust++ }setInterval(function() {
if (kill_bust > 0) {kill_bust -= 2;
window.top.location = 'http://no-content-204.com'
}}, 1);<iframe src="http://www.victim.com">
Is there any hope?
X-Frame-Options
• The savior! Innovative idea introduced by Microsoft in IE8
• HTTP header sent on response.• Possible values- “DENY” and “SAMEORIGIN”• Implemented by most of the modern browsers• Need not depend on JavaScript!• Ex: Response.AddHeader("X-Frame-Options", "DENY");
• Limitations:– Poor adoption by sites (Coz of developer ignorance!)– No whitelisting – Either block all, or allow all.
• Nevertheless, advantages outweigh disadvantages.
• Content Security Policy (CSP) introduced by Mozilla
Best JS solution
<style>html { visibility: hidden }</style><script>if (self == top) { document.documentElement.style.visibility =
'visible';} else { top.location = self.location;}</script>
Frame Busting (X - Frame - Options & JavaScript solutions)
demo
Its your turn now!
• Are your sites clickjacking proof?
• Think about a one-click approval button being clickjacked!
• Go back and add X-Frame-Options header to your web
projects at office (and earn goodwill of your boss )
• If you are on old browsers, have JS protection in place
• If a link on Facebook opens a new window, be highly cautious
and avoid clicking. Inquisitive? Check for hidden <iframe> ;)
• Check your social apps and revoke access if not used.
• We learnt to break things to build better things. Ethics plz!
References
• “Busting frame busting: a study of clickjacking
vulnerabilities at popular sites” – Research paper
by Stanford Web Security researchers.
• Birth of a Security Feature: ClickJacking Defense-
IE Blog
• IE8 Security part VII – Clickjacking Defenses –
IE Blog
I’m Done!
Blog: novogeek.com
Twitter: @novogeek
Sponsors