Developer Conference 2011 MICROSOFT USER GROUP HYDERABAD
It is this easy to steal your click! (Secure Web Development) Krishna Chaitanya T Security & Privacy Research Lab, Infosys Labs Microsoft MVP - Internet Explorer http://novogeek.com | @novogeek
Agenda! Saw these on Facebook? Your genuine web page can be victim as well! Lets secure!!
Clickjacking Discovered in 2008-Robert Hansen, Jeremiah Grossman Forces a victim to unintentionally click on invisible page Made possible by overlaying transparent layers Basic clickjacking: Positioning via CSS (JS not required!) Follow mouse cursor via JS Advanced techniques: Clickjacking + XSS Clickjacking + CSRF Clickjacking + HTML5 Drag/Drop API
The mischievous <iFrame> tag A web page can embed another web page via iframe <iframesrc="http://bing.com"></iframe> CSS opacity attribute: 1 = visible, 0 = invisible
Its your turn now! Are your sites clickjacking proof? Think about a one-click approval button being clickjacked! Go back and add X-Frame-Options header to your web projects at office (and earn goodwill of your boss ) If you are on old browsers, have JS protection in place If a link on Facebook opens a new window, be highly cautious and avoid clicking. Inquisitive? Check for hidden <iframe> ;) Check your social apps and revoke access if not used. We learnt to break things to build better things. Ethics plz!
References “Busting frame busting: a study of clickjacking vulnerabilities at popular sites” – Research paper by Stanford Web Security researchers. Birth of a Security Feature: ClickJackingDefense-IE Blog IE8 Security part VII – Clickjacking Defenses – IE Blog