Mercedes-Benz Research and Development India

UI-Redressing AttacksThe Process & ExploitationAmol Naik4th Aug 2012

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 20122

Agenda

• Introduction to UI-Redressing attacks• Server-Side Mitigations• Bug Bounties• Target• Tools• CSS Basics• Exploitation Techniques

Mercedes-Benz Research and Development India

3

I am

• Web Application Pentester• Bug Hunter – Google, Facebook, Twitter• Web Challenges Coder for nullcon HackIM since 2011• Winner of ClubHACK preCON 2011 CTF• Active member of Garage4Hackers• Blog at: http://amolnaik4.blogspot.com• Twitter: @amolnaik4

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

Mercedes-Benz Research and Development India

4

UI-Redressing Attacks

•Change User Interface in Browser• Invisible Iframes• CSS Tricks• HTML5 Drag-Drop

•Victims clicks button/link on attacker’s site

•He/She actually clicking on Vulnerable Site

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

Mercedes-Benz Research and Development India

5

UI-Redressing Attacks

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 20126

Impact

• One Click Attack• CSRF Protection Bypass• Cross-Domain Content Extraction• Exploit “Self XSS”

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 20127

Server-Side Mitigations

• X-Frame-Options- HTTP Response Header- Supported by all latest browsers

• X-Frame-Options: DENY- The page can not be rendered in a frame, regardless of the site attempting to do

so

• X-Frame-Options: SAMEORIGIN- The page can only be rendered in a frame on the same origin as the page itself

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 20128

Server-Side Mitigations

• Frame Bursting Code- JavaScript- Ensures the current frame is the most top level window

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 20129

Bug Bounties

• Google- Bounty Price upto $3133.7- XSS, CSRF main focus- Researcher will be listed in Google Security Hall of Fame

• Facebook- Bounty price upto $5000- XSS, CSRF, Open Redirect, Database Injection- Researcher will be listed in Facebook WhiteHat List

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201210

Target

• CSRF Protected actions

• Pages with sensitive information in page-source

• Self XSS

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201211

Tools

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201212

CSS Basics

• Opacity- Set Transparency to an element

• Top,Left- Negative values shifts elements out of browser window

• Position- Static (default)- Relative- Absolute- Fixed

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201213

Exploitation Techniques

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201214

Simple Clickjacking

• Google- Remove Google Books Service- FIXED

• Facebook- Add Any Facebook App- FIXED

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201215

Hijack 2 Clicks

• Google- Remove Google Web History, Health & Orkut- FIXED

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201216

Cross-Domain Content Extraction

• Facebook- Get Token from page-source- Use of HTML5 Drag-Drop- Only possible in FireFox 13- FIXED

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201217

Fake Captcha

• Facebook- Get Token- FIXED

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201218

Self-XSS

• Scenario- Input field is vulnerable to XSS- Vulnerable page sends user input to other page- And output is reflected to vulnerable page- Ajax call used to send the user data- GET/POST XSS exploitation method doesn’t work- How to exploit ?

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201219

Self-XSS

• Solution- HTML5 Drag-Drop

• Google- Google Map examples- Google Base examples- FIXED

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201220

Bursting Frame Buster

• Adobe- Adobe Flash Manager Setting page- Discovered & reported by “Nafeez Ahmed AKA skeptic_fx”- “204 No Content” is the trick- FIXED

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201221

Thanks

• Lavakumar K : http://www.andlabs.org• Kotowicz : http://blog.kotowicz.net• Nafeez Ahmed : http://blog.skepticfx.com• Marcus Niemietz : “UI Redressing: Attacks & Countermeasures

Revisited”• OWASP : http://www.owasp.org• Imperva : http://www.imperva.com• W3School : http://www.w3school.com

Mercedes-Benz Research and Development India

UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201222

Questions

• Amol Naik- http://amolnaik4.blogspot.com- @amolnaik4