Your SlideShare is downloading. ×
0
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Clickjacking DevCon2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Clickjacking DevCon2011

3,307

Published on

Published in: Technology, Design
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,307
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
99
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Developer Conference 2011
    MICROSOFT USER GROUP HYDERABAD
  • 2. It is this easy to steal your click!
    (Secure Web Development)
    Krishna Chaitanya T
    Security & Privacy Research Lab, Infosys Labs
    Microsoft MVP - Internet Explorer
    http://novogeek.com | @novogeek
  • 3. Agenda!
    Saw these on Facebook?
    Your genuine web page can be victim as well! Lets secure!!
  • 4. Clickjacking
    Discovered in 2008-Robert Hansen, Jeremiah Grossman
    Forces a victim to unintentionally click on invisible page
    Made possible by overlaying transparent layers
    Basic clickjacking:
    Positioning via CSS (JS not required!)
    Follow mouse cursor via JS
    Advanced techniques:
    Clickjacking + XSS
    Clickjacking + CSRF
    Clickjacking + HTML5 Drag/Drop API
  • 5. The mischievous <iFrame> tag
    A web page can embed another web page via iframe
    <iframesrc="http://bing.com"></iframe>
    CSS opacity attribute: 1 = visible, 0 = invisible
  • 6. Clickjacking using CSS & JS
    demo
  • 7. Frame Busting!
    Techniques for preventing your site from being framed
    Common frame busting code:
    if (top != self) { //condition
    top.location = self.location; //counter action
    }
  • 8. Survey
    Acknowledgement:All survey content from Stanford Web Security Research Lab
  • 9. What’s wrong?
    Walmart.com
    if (top.location != location) {
    if(document.referrer &&
    document.referrer.indexOf("walmart.com") == -1)
    { top.location.replace(document.location.href); } }
    USBank.com
    if (self != top) {
    var domain = getDomain(document.referrer);
    varokDomains = /usbank|localhost|usbnet/;
    domain.search(okDomains);if (matchDomain == -1) {
    /* frame bust */ } }
    Many
    if(top.location != self.location) {
    parent.location= self.location;
    }
    • Error in Referrer checking. Attacker URL can be: http://www.attacker.com/walmart.com.html
    • 10. Error in Referrer checking. Attacker URL can be: http://usbank.attacker.com
    • 11. ‘parent’ refers to the window available one level higher. So Double framing will break this.
  • Busting Frame busting!
    HTML5 Sandbox
    <iframe sandbox src=“http://www.victim.com”>
    • JavaScript is disabled!
    • 12. Prevents XSS
    • 13. Prevents Defacement
    • 14. Facilitates clickjacking!
    onBeforeUnloadEvent
    <h1>www.attacker.com</h1>
    <script>
    window.onbeforeunload = function() {
    return "Do you want to leave your favorite site?";
    }
    </script>
    <iframesrc="http://www.paypal.com">
    XSS Filters
    • XSS filters in browsers block this iframe!
    <iframesrc="http://www.example.org/?xyz=%3Cscript%20type=%22text/javascript%22%3
    Eif"></iframe>
    204-HTTP header
    varprevent_bust = 0
    window.onbeforeunload = function() {kill_bust++ }
    setInterval(function() {
    if (kill_bust > 0) {
    kill_bust -= 2;
    window.top.location = 'http://no-content-204.com'
    }
    }, 1);
    <iframesrc="http://www.victim.com">
    Mobile sites
    • Non mobile sites do frame busting
    • 15. What about their mobile versions?
  • Is there any hope?
  • 16. X-Frame-Options
    The savior! Innovative idea introduced by Microsoft in IE8
    HTTP header sent on response.
    Possible values- “DENY” and “SAMEORIGIN”
    Implemented by most of the modern browsers
    Need not depend on JavaScript!
    Ex: Response.AddHeader("X-Frame-Options", "DENY");
    Limitations:
    Poor adoption by sites (Coz of developer ignorance!)
    No whitelisting – Either block all, or allow all.
    Nevertheless, advantages outweigh disadvantages.
    Content Security Policy (CSP) introduced by Mozilla
  • 17. Best JS solution
    <style>html { visibility: hidden }</style>
    <script>
    if (self == top) {
    document.documentElement.style.visibility = 'visible';
    } else {
    top.location = self.location;
    }
    </script>
  • 18. Frame Busting (X - Frame - Options & JavaScript solutions)
    demo
  • 19. Its your turn now!
    Are your sites clickjacking proof?
    Think about a one-click approval button being clickjacked!
    Go back and add X-Frame-Options header to your web projects at office (and earn goodwill of your boss )
    If you are on old browsers, have JS protection in place
    If a link on Facebook opens a new window, be highly cautious and avoid clicking. Inquisitive? Check for hidden <iframe> ;)
    Check your social apps and revoke access if not used.
    We learnt to break things to build better things. Ethics plz!
  • 20. References
    “Busting frame busting: a study of clickjacking vulnerabilities at popular sites” – Research paper by Stanford Web Security researchers.
    Birth of a Security Feature: ClickJackingDefense-IE Blog
    IE8 Security part VII – Clickjacking Defenses – IE Blog
  • 21. I’m Done!
    Blog: novogeek.com
    Twitter: @novogeek
  • 22. Sponsors

×