Make profit with UI-Redressing attacks.

Make Profit with UI-Redressing AMol NAik http://amolnaik4.blogspot.com

Agenda UI-Redressing Server-Side Mitigations How to make Profit? What to Target? Tools to Hack CSS Basics Exploitation Techniques Conclusion

UI-Redressing  Change User Interface in browser  Victim clicks button on attacker site  He/she actually clicking button on Vulnerable siteSource: http://www.imperva.com/resources/glossary/clickjacking_ui-redressing.html

UI-Redressing Mostly neglected by vendors  Why? – Need user interaction  Browser dependancy Impact:  Same as CSRF  One click – GONE!!  Bypass CSRF protections  Exploit “Self-XSS”  Cross-domain Content Extraction

Server-Side Mitigations X-Frame-Options  Response Header  Supported by most of the latest browsers  Two possible values to use:  DENY  The page cannot be displayed in a frame, regardless of the site attempting to do so  SAMEORIGIN  The page can only be displayed in a frame on the same origin as the page itself.

Server-Side Mitigations  Frame Bursting Code  JavaScript  Ensures the current frame is the most top level windowSource: https://www.owasp.org/index.php/Clickjacking

How to make Profit? Bug Bounties  Google  Pays from $500 to $3133.7  XSS, CSRF are prime focus  Name will be listed in Google Security Hall of Fame http://www.google.com/about/corporate/company/halloffame.html  Facebook  Starting from $500  XSS, CSRF, Open Redirect, Database Injection  Name will be listed in Facebook WhiteHat http://www.facebook.com/whitehat

What to Target? CSRF protected actions Pages with tokens Self-XSS

Tools to Hack Browser  I use Add-ons  Clickjacking Defense – Declarative Security  Created by Aditya k Sood  Check for “X-Frame-Options”  Firebug  Many uses  CSS editing On-the-Fly

CSS Basics Opacity  Set Transparency for the element Top, Left  Negative values shift elements out of the browser window Position  Specifies the type of positioning method used for an element  Static (default) - The box is a normal box. The top, right, bottom, and left properties do not apply.  Relative - The boxs position is calculated according to the normal flow  Absolute - The boxs position is specified with the top, right, bottom, and left properties  Fixed - The boxs position is calculated according to the absolute model, but in addition, the box is fixed.

Exploitation Techniques

Exploitation Techniques Action with Single Click  Technique: Simple Clickjacking  Ex: Remove Google Books

Exploitation Techniques Action with 2 user clicks  Technique: Fake Arithmetic Captcha  Ex: Remove Google Orkut Service

Exploitation Techniques Single CSRF token  Technique: Fake Captcha with SVG Masking  Cross-Domain Content Extraction  Ex: Facebook XHR

Exploitation Techniques Multiple CSRF tokens in source  Technique: Drag-n-Drop with “view-source”  Cross-Domain Content Extraction  Ex: Facebook PoC

Exploitation Techniques Self-XSS Exploitation  Technique: Drag-n-Drop  Ex: Google Code XSS

Conclusion Profit & Fame Most of the sites didn’t implement protections Firefox still supports for “view-source” scheme Attack technique depends on target Imagination is only the limitation

References https://www.owasp.org/index.php/Clickjacking http://ui-redressing.mniemietz.de/uiRedressing.pdf http://html5sec.org/ http://blog.kotowicz.net/2011/07/cross-domain- content-extraction-with.html http://www.blog.fortitsecurity.com/2011/09/facebook- graph-api-access-token.html http://www.w3.org/TR/CSS2/visuren.html#positioning -scheme

Questions http://twitter.com/amolnaik4

http://amolnaik4.blogspot.com	735
http://amolnaik4.blogspot.in	300
http://null.co.in	218
http://amolnaik4.blogspot.com.es	12
http://amolnaik4.blogspot.co.uk	9
http://amolnaik4.blogspot.fr	8
http://amolnaik4.blogspot.com.au	7
http://amolnaik4.blogspot.it	6
http://amolnaik4.blogspot.com.br	5
http://amolnaik4.blogspot.co.nz	4
http://amolnaik4.blogspot.se	4
http://amolnaik4.blogspot.de	3
http://amolnaik4.blogspot.com.ar	2
http://www.blogger.com	1
http://amolnaik4.blogspot.mx	1

Make profit with UI-Redressing attacks.

by n|u - The Open Security Community on Dec 13, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

15 Embeds 1,315

Statistics

Make profit with UI-Redressing attacks. — Presentation Transcript