Clickjacking DevCon2011
Upcoming SlideShare
Loading in...5
×
 

Clickjacking DevCon2011

on

  • 3,555 views

 

Statistics

Views

Total Views
3,555
Views on SlideShare
3,519
Embed Views
36

Actions

Likes
2
Downloads
90
Comments
0

2 Embeds 36

http://paper.li 30
http://a0.twimg.com 6

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Clickjacking DevCon2011 Clickjacking DevCon2011 Presentation Transcript

  • Developer Conference 2011
    MICROSOFT USER GROUP HYDERABAD
  • It is this easy to steal your click!
    (Secure Web Development)
    Krishna Chaitanya T
    Security & Privacy Research Lab, Infosys Labs
    Microsoft MVP - Internet Explorer
    http://novogeek.com | @novogeek
  • Agenda!
    Saw these on Facebook?
    Your genuine web page can be victim as well! Lets secure!!
  • Clickjacking
    Discovered in 2008-Robert Hansen, Jeremiah Grossman
    Forces a victim to unintentionally click on invisible page
    Made possible by overlaying transparent layers
    Basic clickjacking:
    Positioning via CSS (JS not required!)
    Follow mouse cursor via JS
    Advanced techniques:
    Clickjacking + XSS
    Clickjacking + CSRF
    Clickjacking + HTML5 Drag/Drop API
  • The mischievous <iFrame> tag
    A web page can embed another web page via iframe
    <iframesrc="http://bing.com"></iframe>
    CSS opacity attribute: 1 = visible, 0 = invisible
  • Clickjacking using CSS & JS
    demo
  • Frame Busting!
    Techniques for preventing your site from being framed
    Common frame busting code:
    if (top != self) { //condition
    top.location = self.location; //counter action
    }
  • Survey
    Acknowledgement:All survey content from Stanford Web Security Research Lab
  • What’s wrong?
    Walmart.com
    if (top.location != location) {
    if(document.referrer &&
    document.referrer.indexOf("walmart.com") == -1)
    { top.location.replace(document.location.href); } }
    USBank.com
    if (self != top) {
    var domain = getDomain(document.referrer);
    varokDomains = /usbank|localhost|usbnet/;
    domain.search(okDomains);if (matchDomain == -1) {
    /* frame bust */ } }
    Many
    if(top.location != self.location) {
    parent.location= self.location;
    }
    • Error in Referrer checking. Attacker URL can be: http://www.attacker.com/walmart.com.html
    • Error in Referrer checking. Attacker URL can be: http://usbank.attacker.com
    • ‘parent’ refers to the window available one level higher. So Double framing will break this.
  • Busting Frame busting!
    HTML5 Sandbox
    <iframe sandbox src=“http://www.victim.com”>
    • JavaScript is disabled!
    • Prevents XSS
    • Prevents Defacement
    • Facilitates clickjacking!
    onBeforeUnloadEvent
    <h1>www.attacker.com</h1>
    <script>
    window.onbeforeunload = function() {
    return "Do you want to leave your favorite site?";
    }
    </script>
    <iframesrc="http://www.paypal.com">
    XSS Filters
    • XSS filters in browsers block this iframe!
    <iframesrc="http://www.example.org/?xyz=%3Cscript%20type=%22text/javascript%22%3
    Eif"></iframe>
    204-HTTP header
    varprevent_bust = 0
    window.onbeforeunload = function() {kill_bust++ }
    setInterval(function() {
    if (kill_bust > 0) {
    kill_bust -= 2;
    window.top.location = 'http://no-content-204.com'
    }
    }, 1);
    <iframesrc="http://www.victim.com">
    Mobile sites
    • Non mobile sites do frame busting
    • What about their mobile versions?
  • Is there any hope?
  • X-Frame-Options
    The savior! Innovative idea introduced by Microsoft in IE8
    HTTP header sent on response.
    Possible values- “DENY” and “SAMEORIGIN”
    Implemented by most of the modern browsers
    Need not depend on JavaScript!
    Ex: Response.AddHeader("X-Frame-Options", "DENY");
    Limitations:
    Poor adoption by sites (Coz of developer ignorance!)
    No whitelisting – Either block all, or allow all.
    Nevertheless, advantages outweigh disadvantages.
    Content Security Policy (CSP) introduced by Mozilla
  • Best JS solution
    <style>html { visibility: hidden }</style>
    <script>
    if (self == top) {
    document.documentElement.style.visibility = 'visible';
    } else {
    top.location = self.location;
    }
    </script>
  • Frame Busting (X - Frame - Options & JavaScript solutions)
    demo
  • Its your turn now!
    Are your sites clickjacking proof?
    Think about a one-click approval button being clickjacked!
    Go back and add X-Frame-Options header to your web projects at office (and earn goodwill of your boss )
    If you are on old browsers, have JS protection in place
    If a link on Facebook opens a new window, be highly cautious and avoid clicking. Inquisitive? Check for hidden <iframe> ;)
    Check your social apps and revoke access if not used.
    We learnt to break things to build better things. Ethics plz!
  • References
    “Busting frame busting: a study of clickjacking vulnerabilities at popular sites” – Research paper by Stanford Web Security researchers.
    Birth of a Security Feature: ClickJackingDefense-IE Blog
    IE8 Security part VII – Clickjacking Defenses – IE Blog
  • I’m Done!
    Blog: novogeek.com
    Twitter: @novogeek
  • Sponsors