Clickjacking DevCon2011


Published on

Published in: Technology, Design
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Clickjacking DevCon2011

  1. 1. Developer Conference 2011<br />MICROSOFT USER GROUP HYDERABAD<br />
  2. 2. It is this easy to steal your click!<br />(Secure Web Development)<br />Krishna Chaitanya T<br />Security & Privacy Research Lab, Infosys Labs<br />Microsoft MVP - Internet Explorer<br /> | @novogeek<br />
  3. 3. Agenda!<br />Saw these on Facebook?<br />Your genuine web page can be victim as well! Lets secure!!<br />
  4. 4. Clickjacking<br />Discovered in 2008-Robert Hansen, Jeremiah Grossman<br />Forces a victim to unintentionally click on invisible page<br />Made possible by overlaying transparent layers<br />Basic clickjacking: <br />Positioning via CSS (JS not required!) <br />Follow mouse cursor via JS<br />Advanced techniques:<br />Clickjacking + XSS<br />Clickjacking + CSRF<br />Clickjacking + HTML5 Drag/Drop API<br />
  5. 5. The mischievous <iFrame> tag<br />A web page can embed another web page via iframe<br /><iframesrc=""></iframe><br />CSS opacity attribute: 1 = visible, 0 = invisible<br />
  6. 6. Clickjacking using CSS & JS<br />demo <br />
  7. 7. Frame Busting!<br />Techniques for preventing your site from being framed<br />Common frame busting code:<br />if (top != self) { //condition<br />top.location = self.location; //counter action<br />}<br />
  8. 8. Survey<br />Acknowledgement:All survey content from Stanford Web Security Research Lab<br />
  9. 9. What’s wrong?<br /> <br />if (top.location != location) {<br /> if(document.referrer &&<br />document.referrer.indexOf("") == -1)<br /> { top.location.replace(document.location.href); } }<br /><br />if (self != top) {<br />var domain = getDomain(document.referrer);<br />varokDomains = /usbank|localhost|usbnet/;<br />;if (matchDomain == -1) {<br /> /* frame bust */ } }<br />Many<br />if(top.location != self.location) {<br />parent.location= self.location;<br /> }<br /><ul><li>Error in Referrer checking. Attacker URL can be:
  10. 10. Error in Referrer checking. Attacker URL can be:
  11. 11. ‘parent’ refers to the window available one level higher. So Double framing will break this.</li></li></ul><li>Busting Frame busting!<br />HTML5 Sandbox<br /><iframe sandbox src=“”><br /><ul><li>JavaScript is disabled!
  12. 12. Prevents XSS
  13. 13. Prevents Defacement
  14. 14. Facilitates clickjacking!</li></ul>onBeforeUnloadEvent<br /><h1></h1><br /><script><br />window.onbeforeunload = function() {<br /> return "Do you want to leave your favorite site?";<br />}<br /></script><br /><iframesrc=""><br />XSS Filters<br /><ul><li>XSS filters in browsers block this iframe!</li></ul><iframesrc="<br />Eif"></iframe><br />204-HTTP header<br />varprevent_bust = 0<br />window.onbeforeunload = function() {kill_bust++ }<br />setInterval(function() {<br /> if (kill_bust > 0) {<br />kill_bust -= 2;<br /> = ''<br /> }<br />}, 1);<br /><iframesrc=""><br />Mobile sites<br /><ul><li>Non mobile sites do frame busting
  15. 15. What about their mobile versions?</li></li></ul><li>Is there any hope? <br />
  16. 16. X-Frame-Options<br />The savior! Innovative idea introduced by Microsoft in IE8<br />HTTP header sent on response.<br />Possible values- “DENY” and “SAMEORIGIN”<br />Implemented by most of the modern browsers<br />Need not depend on JavaScript!<br />Ex: Response.AddHeader("X-Frame-Options", "DENY");<br />Limitations:<br />Poor adoption by sites (Coz of developer ignorance!)<br />No whitelisting – Either block all, or allow all.<br />Nevertheless, advantages outweigh disadvantages.<br />Content Security Policy (CSP) introduced by Mozilla<br />
  17. 17. Best JS solution<br /><style>html { visibility: hidden }</style><br /><script><br />if (self == top) {<br /> = 'visible';<br />} else {<br />top.location = self.location; <br />}<br /></script><br />
  18. 18. Frame Busting (X - Frame - Options & JavaScript solutions)<br />demo <br />
  19. 19. Its your turn now!<br />Are your sites clickjacking proof?<br />Think about a one-click approval button being clickjacked!<br />Go back and add X-Frame-Options header to your web projects at office (and earn goodwill of your boss )<br />If you are on old browsers, have JS protection in place<br />If a link on Facebook opens a new window, be highly cautious and avoid clicking. Inquisitive? Check for hidden <iframe> ;)<br />Check your social apps and revoke access if not used.<br />We learnt to break things to build better things. Ethics plz!<br />
  20. 20. References<br />“Busting frame busting: a study of clickjacking vulnerabilities at popular sites” – Research paper by Stanford Web Security researchers.<br />Birth of a Security Feature: ClickJackingDefense-IE Blog<br />IE8 Security part VII – Clickjacking Defenses – IE Blog<br />
  21. 21. I’m Done!<br />Blog: <br />Twitter: @novogeek<br />
  22. 22. Sponsors<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.