Clickjacking (UI...
Transcript of Clickjacking (UI...
![Page 1: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/1.jpg)
Clickjacking (UI Redressing)
1
![Page 2: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/2.jpg)
![Page 3: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/3.jpg)
Clickjacking
portmanteau of “click hijacking”attacker overlays multiple transparent or opaque frames
trick a user into clicking a button or link on another page
circumvents same-origin policymalicious page cannot click the link itself
3
![Page 4: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/4.jpg)
Clickjacking in the Wild:Facebook worm superimposes invisible iframe
over entire page that links to victim’s Facebook pageIf victim is logged in, automatically recommends
link to new friends as soon as it is clicked on.
4
![Page 5: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/5.jpg)
Twitter ClickjackUsers send out tweets against their will.
Users are tricked into clicking a post-to-twitter link.Works if they are logged in
5
![Page 6: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/6.jpg)
But wait: how isn’t this just XSRF?
6
![Page 7: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/7.jpg)
Clickjacking attack: when a user’s mouse clickis used in a way that was not intended by user.
7
![Page 8: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/8.jpg)
Simple Example
<aonMouseDown=window.open(http://www.evil.com)href=http://www.google.com/>
anchor text
</a>
anchor goes to evil.com
why the google.com?
8
![Page 9: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/9.jpg)
iframes
any website can frame any other websitehave a subwindow or such that shows its content
main frame does not need to handle all the logic of managing twothings
subframe can be its own session, links clicking, changing page, etc.
<iframe src=“http://www.google.com/...”></iframe>
HTML attributes include opacity (percentage visible)
1.0: totally visible0.0: totally invisible
z-index: position on the stack (top gets clicks)pointer-event: set to none to say ignore click (goes to next)
9
![Page 10: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/10.jpg)
Drag-and-Drop Abuse
same origin policy stops the html page to “see” what the userselects in an iframe
e.g., iframe text field.textContents throws an exception
but selected text can be dragged into an object despite sameorigin
motive is that user does this deliberatelyi.e., mouse events cannot be spoofed
10
![Page 11: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/11.jpg)
How can this be exploited?
11
![Page 12: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/12.jpg)
Abusing Drag-n-Drop
only need to get the user to drag and drop for any reason
hidden iframes will load the data that the evil site wants
destination will be an HTML object within the evil site’s control
user is tricked into circumventing same origin policy
12
![Page 13: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/13.jpg)
Cursorjacking
mouse cursor can be turned off in the web browserCSS cursor property supports “none”
then create another cursor in javascript that follows the mousemovement
different looking cursors won’t necessary be suspiciousthough different cursor physics will be noticable
13
![Page 14: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/14.jpg)
Strokejacking: suppose that bank.comneeded the user to enter in numbersfor an amount to do a bank transfer.
That is, clicks aren’t enough:the user has to hit keys.
SOP stops this from being faked.
14
![Page 15: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/15.jpg)
Strokejacking
site convinces the user to type some keystrokes on a simulatedinput field
actual keystrokes being sent to the iframe that needs it
e.g., numbers become the amount to send.
how could the user be tricked?
15
![Page 16: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/16.jpg)
All these attacks conspire to break SOP.They require human effort to click or type
and the user is being tricked into doing that.
16
![Page 17: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/17.jpg)
Compromise Temporal Integrity
temporal integrity refers to the state remaining the same in timesecurity issue involving something changing after security check is donebut before something being allowed by that check is doneTOCTTOU: time of check to time of use
for clickjacking, it means changing the UI after the user decidesto click but before the click occurs
e.g., if logic executes on onClick, then change UI on mouseDowne.g., bait the user to double click, and swap the UI between them
17
![Page 18: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/18.jpg)
Solution: user confirmationGood site pops up dialogue box with infoabout what it is about to do and confirms
awful user experience
18
![Page 19: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/19.jpg)
Solution: UI RandomizationGood site embeds form elements at random locations
so it is hard to overlaye.g., paypal pay button always in different location
awful user experiencemulti-click attack
19
![Page 20: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/20.jpg)
Solution: Opaque Policyno element can be transparent
each pixel belongs to a single elementany problems?
20
![Page 21: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/21.jpg)
Partial Overlaps and Cropping
don’t completely cover the targetinstead hide the important parts
e.g., message that you mean to poste.g., amount that your credit card is charged
21
![Page 22: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/22.jpg)
Solution: Frame BustingI am the page owner (what gets put in iframe)
I insist that I am never loaded in an iframeif (top != self) top.location.href = location.href;
22
![Page 23: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/23.jpg)
Frame Busting
conditional check for iframingtake counter-action if iframing is detectedthen no user behaviour on site is result of clickjacking
doesn’t work for embedded stuff like facebook “like” buttons butoh well
23
![Page 24: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/24.jpg)
So clickjacking is solved!
24
![Page 25: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/25.jpg)
Frame Busting in the Wild
survey of practices by Gustav Rydstedt, Elie Bursztein, DanBoneh, and Collin Jackson
looked at Alexa top 500 websites and all top US banks
14% use framebustingfound 100% of framebusting can be circumvented one way oranother
oopssome browser specificsome cross browser
25
![Page 26: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/26.jpg)
Frequently it was in the code to allow their own iframesi.e., I don’t want to be an iframe, but I want to have my
own things as iframesand they are okay with being iframes as long as I’m still
the main frame.This policy can be hard to implement.
26
![Page 27: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/27.jpg)
Walmart’s Framebusting
if (top.location != location)if (document.referer && document.referer.indexOf(”walmart.com”) ==-1)
top.location.replace(document.location.href);
27
![Page 28: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/28.jpg)
Error in Referrer Checking:website http://www.attacker.com/walmart.com.html has
the iframe
28
![Page 29: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/29.jpg)
The New York Times’s Framebusting
if (window.self != window.top &&!document.referer.match(/https?://[ˆ?\/]+\.nytimes\.com\//))
self.location = top.location;
29
![Page 30: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/30.jpg)
Error in Referer Checking:website
http://eve.com/a.html?b=https://www.nytimes.com/has the iframe
30
![Page 31: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/31.jpg)
US Bank’s Framebusting
if (self != top)var domain = getDomain(document.referer);var okDomains = /usbank—localhost—usbnet/;var matchDomain = domain.search(okDomains);if (matchDomain == -1)
// frame bust
31
![Page 32: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/32.jpg)
Error in Referer Checking:website http://usbank.attacker.com has the iframe
or the Norwegian State House Bankhttp://www.husbanken.no
or the Bank of Moscow http://www.rusbank.org
32
![Page 33: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/33.jpg)
Typical Frame Busting code:if (parent.location != self.location)
parent.location = self.location
33
![Page 34: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/34.jpg)
Double Framing Attack:main frame has <iframe src=“frame2.html”>frame2.html has <iframe src=“victim.com”>
34
![Page 35: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/35.jpg)
A fix?if (top.location != self.location)
top.location = self.location
35
![Page 36: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/36.jpg)
Location Clobbering
IE7: var location=“clobbered”;
Safari: window. defineSetter (”location”, function(){})
36
![Page 37: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/37.jpg)
Asking Nicely
37
![Page 38: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/38.jpg)
Frame busting from Paypal will becancelled if the user clicks cancel.
The pop-up is actually theiframer’s onbeforeunload function.
38
![Page 39: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/39.jpg)
Best for now
style html’s body as “display: none”
try to framebust if “self != top”
change style to “display: block” if “self == top”
39
![Page 40: Clickjacking (UI Redressing)pages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-18-clickjacking… · for clickjacking, it means changing the UI after the user decides to click but](https://reader034.fdocuments.net/reader034/viewer/2022042812/5facd8a1ba824c18f712ab18/html5/thumbnails/40.jpg)
Going Forward
X-Frame-Options HTTP header sent with page
two possible values: DENY and SAMEORIGIN
DENY: page will not render if framed
SAMEORIGIN: page will only render if top frame has same origin
well supported in browsers, not sites
40