Make profit with UI-Redressing attacks.

14,903 views

Published on

By Amol Naik - October 2011 Meet

Published in: Education, Technology, Design
1 Comment
5 Likes
Statistics
Notes
No Downloads
Views
Total views
14,903
On SlideShare
0
From Embeds
0
Number of Embeds
11,767
Actions
Shares
0
Downloads
0
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

Make profit with UI-Redressing attacks.

  1. 1. Make Profit with UI-Redressing AMol NAik http://amolnaik4.blogspot.com
  2. 2. Agenda UI-Redressing Server-Side Mitigations How to make Profit? What to Target? Tools to Hack CSS Basics Exploitation Techniques Conclusion
  3. 3. UI-Redressing  Change User Interface in browser  Victim clicks button on attacker site  He/she actually clicking button on Vulnerable siteSource: http://www.imperva.com/resources/glossary/clickjacking_ui-redressing.html
  4. 4. UI-Redressing Mostly neglected by vendors  Why? – Need user interaction  Browser dependancy Impact:  Same as CSRF  One click – GONE!!  Bypass CSRF protections  Exploit “Self-XSS”  Cross-domain Content Extraction
  5. 5. Server-Side Mitigations X-Frame-Options  Response Header  Supported by most of the latest browsers  Two possible values to use:  DENY  The page cannot be displayed in a frame, regardless of the site attempting to do so  SAMEORIGIN  The page can only be displayed in a frame on the same origin as the page itself.
  6. 6. Server-Side Mitigations  Frame Bursting Code  JavaScript  Ensures the current frame is the most top level windowSource: https://www.owasp.org/index.php/Clickjacking
  7. 7. How to make Profit? Bug Bounties  Google  Pays from $500 to $3133.7  XSS, CSRF are prime focus  Name will be listed in Google Security Hall of Fame http://www.google.com/about/corporate/company/halloffame.html  Facebook  Starting from $500  XSS, CSRF, Open Redirect, Database Injection  Name will be listed in Facebook WhiteHat http://www.facebook.com/whitehat
  8. 8. What to Target? CSRF protected actions Pages with tokens Self-XSS
  9. 9. Tools to Hack Browser  I use Add-ons  Clickjacking Defense – Declarative Security  Created by Aditya k Sood  Check for “X-Frame-Options”  Firebug  Many uses  CSS editing On-the-Fly
  10. 10. CSS Basics Opacity  Set Transparency for the element Top, Left  Negative values shift elements out of the browser window Position  Specifies the type of positioning method used for an element  Static (default) - The box is a normal box. The top, right, bottom, and left properties do not apply.  Relative - The boxs position is calculated according to the normal flow  Absolute - The boxs position is specified with the top, right, bottom, and left properties  Fixed - The boxs position is calculated according to the absolute model, but in addition, the box is fixed.
  11. 11. Exploitation Techniques
  12. 12. Exploitation Techniques Action with Single Click  Technique: Simple Clickjacking  Ex: Remove Google Books
  13. 13. Exploitation Techniques Action with 2 user clicks  Technique: Fake Arithmetic Captcha  Ex: Remove Google Orkut Service
  14. 14. Exploitation Techniques Single CSRF token  Technique: Fake Captcha with SVG Masking  Cross-Domain Content Extraction  Ex: Facebook XHR
  15. 15. Exploitation Techniques Multiple CSRF tokens in source  Technique: Drag-n-Drop with “view-source”  Cross-Domain Content Extraction  Ex: Facebook PoC
  16. 16. Exploitation Techniques Self-XSS Exploitation  Technique: Drag-n-Drop  Ex: Google Code XSS
  17. 17. Conclusion Profit & Fame Most of the sites didn’t implement protections Firefox still supports for “view-source” scheme Attack technique depends on target Imagination is only the limitation
  18. 18. References https://www.owasp.org/index.php/Clickjacking http://ui-redressing.mniemietz.de/uiRedressing.pdf http://html5sec.org/ http://blog.kotowicz.net/2011/07/cross-domain- content-extraction-with.html http://www.blog.fortitsecurity.com/2011/09/facebook- graph-api-access-token.html http://www.w3.org/TR/CSS2/visuren.html#positioning -scheme
  19. 19. Questions http://twitter.com/amolnaik4

×