Developer Conference 2011

MICROSOFT USER GROUP HYDERABAD

It is this easy to steal your click!

Krishna Chaitanya TSecurity & Privacy Research Lab, Infosys Labs

(Secure Web Development)

Microsoft MVP - Internet Explorer

http://novogeek.com | @novogeek

Agenda!

Your genuine web page can be victim as well! Lets secure!!

Saw these on Facebook?

Clickjacking

• Discovered in 2008-Robert Hansen, Jeremiah Grossman

• Forces a victim to unintentionally click on invisible page

• Made possible by overlaying transparent layers• Basic clickjacking:

– Positioning via CSS (JS not required!) – Follow mouse cursor via JS

• Advanced techniques:– Clickjacking + XSS– Clickjacking + CSRF– Clickjacking + HTML5 Drag/Drop API

The mischievous <iFrame> tag

• A web page can embed another web page via iframe• <iframe src="http://bing.com"></iframe>

• CSS opacity attribute: 1 = visible, 0 = invisible

Clickjacking using CSS & JS

demo

• Techniques for preventing your site from being framed

• Common frame busting code:

Frame Busting!

if (top != self) { //condition top.location = self.location; //counter action}

Survey

Acknowledgement:All survey content from Stanford Web Security Research Lab

What’s wrong?

• Walmart.com if (top.location != location) { if(document.referrer &&

document.referrer.indexOf("walmart.com") == -1){ top.location.replace(document.location.href); } }

• USBank.comif (self != top) {

var domain = getDomain(document.referrer);var okDomains = /usbank|localhost|usbnet/;domain.search(okDomains);if (matchDomain == -1) {

/* frame bust */ } }

• Many if(top.location != self.location) { parent.location = self.location; }

Error in Referrer checking. Attacker URL can be: http://www.attacker.com/walmart.com.html

Error in Referrer checking. Attacker URL can be: http://usbank.attacker.com

‘parent’ refers to the window available one level higher. So Double framing will break this.

Busting Frame busting!

HTML5 Sandbox<iframe sandbox src=“http://www.victim.com”>•JavaScript is disabled!•Prevents XSS•Prevents Defacement•Facilitates clickjacking!

XSS Filters• XSS filters in browsers block this

iframe!

<iframe src="http://www.example.org/?xyz=%3Cscript%20type=%22text/javascript%22%3Eif"></iframe>

Mobile sites• Non mobile sites do frame busting• What about their mobile versions?

onBeforeUnload Event<h1>www.attacker.com</h1><script>window.onbeforeunload = function() { return "Do you want to leave your favorite site?"; }</script><iframe src="http://www.paypal.com">

204-HTTP headervar prevent_bust = 0window.onbeforeunload = function() {kill_bust++ }setInterval(function() {

if (kill_bust > 0) {kill_bust -= 2;

window.top.location = 'http://no-content-204.com'

}}, 1);<iframe src="http://www.victim.com">

Is there any hope?

X-Frame-Options

• The savior! Innovative idea introduced by Microsoft in IE8

• HTTP header sent on response.• Possible values- “DENY” and “SAMEORIGIN”• Implemented by most of the modern browsers• Need not depend on JavaScript!• Ex: Response.AddHeader("X-Frame-Options", "DENY");

• Limitations:– Poor adoption by sites (Coz of developer ignorance!)– No whitelisting – Either block all, or allow all.

• Nevertheless, advantages outweigh disadvantages.

• Content Security Policy (CSP) introduced by Mozilla

Best JS solution

<style>html { visibility: hidden }</style><script>if (self == top) { document.documentElement.style.visibility =

'visible';} else { top.location = self.location;}</script>

Frame Busting (X - Frame - Options & JavaScript solutions)

demo

Its your turn now!

• Are your sites clickjacking proof?

• Think about a one-click approval button being clickjacked!

• Go back and add X-Frame-Options header to your web

projects at office (and earn goodwill of your boss )

• If you are on old browsers, have JS protection in place

• If a link on Facebook opens a new window, be highly cautious

and avoid clicking. Inquisitive? Check for hidden <iframe> ;)

• Check your social apps and revoke access if not used.

• We learnt to break things to build better things. Ethics plz!

References

• “Busting frame busting: a study of clickjacking

vulnerabilities at popular sites” – Research paper

by Stanford Web Security researchers.

• Birth of a Security Feature: ClickJacking Defense-

IE Blog

• IE8 Security part VII – Clickjacking Defenses –

IE Blog

I’m Done!

Blog: novogeek.com

Twitter: @novogeek

Sponsors