UI Redressing
Upcoming SlideShare
Loading in...5
×
 

UI Redressing

on

  • 2,352 views

February 2013 - null Pune Chapter Meet

February 2013 - null Pune Chapter Meet

Statistics

Views

Total Views
2,352
Views on SlideShare
2,008
Embed Views
344

Actions

Likes
1
Downloads
18
Comments
0

1 Embed 344

http://null.co.in 344

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

UI Redressing UI Redressing Presentation Transcript

  • <iframe> UI Redressing </iframe> <script> function PresentedBy() { document.write(“Jovin Lobo”) } </script>
  • self.Intro() Works for Payatu Technologies (www.payatu.com) as an AppSec Consultant. Author of game|over – A Linux distro built for learning web appsecurity. Member of null – The Open Security Community www.null.co.in Moderating the #null #Pune Chapter ;) Very #Annoying too … so u might wanna shoot me in the head<NOT_Certified>C|EH , AFCEH .. or any other certification</NOT_Certified>
  • Agenda Introduction to UI Redressing/Clickjacking. Elements of basic clickjacking. Advanced Clickjacking techniques. Some cool demos :) Prevention techniques that Suck !! Prevention techniques that dont …. Running away as fast as I can before somebody shoots me in thehead. View slide
  • Already Bored ??? View slide
  • So what is UI Redressing/Clickjacking ??“ … is a malicious technique of tricking a Web user intoclicking on something different from what the userperceives they are clicking on, thus potentially revealingconfidential information or taking control of their computerwhile clicking on seemingly innocuous web pages ”
  • UI Redress attack a.k.a ClickjackingThe term "clickjacking" was coined by JeremiahGrossman and Robert RSnake Hansen in 2008.It is seen as a type of Confused Deputy attackagainst the browser ….....
  • Now you are confused …....... arent you ??Lets watch a video …....
  • Aaiilaa ... its NOT what it looks like !!! Pic taken from : http://detower.com/id12.html
  • In a nut-shellPic from :http://www.protecht.ca/blog/clickjacking-niagara
  • So what do we need to redress the UIIframes : Used to embed one website inside another.Syntax : <iframe src=”null.co.in” ></iframe>Opacity : Used to change the transparency of htmlelements. Stacking Order : Using the z-index property we canstack the HTML elements on top of one another.
  • Basic Clickjacking[ Demo ]: Basic Clickjacking.
  • So what about text fields ?Q: Is it possible to make a user enter text ??A: YES !!!Q: But how ?? Muhahahahahahaha...!!!
  • Advanced Clickjacking Techniques [ Demo ]: Advanced Clickjacking attack.[Demo]: Content Extraction using Drag and drop
  • So we can hijack clicks as well as text ….. Thats practically everything a user does …. So how do we prevent UI Redress Attacks ??
  • Prevention techniques that dont always work *Yes I am still talking about Clickjacking
  • Frame Busters“Frame buster / Framekiller is a piece of JavaScript codethat prevents a Web page from being displayed within aframe.”
  • Basic Frame Busting code.<script > if { ( top . l o c a t i o n != l o c a t i o n ) top . l o c a t i o n = s e l f . l o c a t i o n ; }</script>
  • Basic frame busters[Demo:] Basic Frame Busters
  • Some common frame busters .. Credits : Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • Q: So are we safe from a UI Redress Attack ?A: NO !!!And here comes “Double Framing Attack”.
  • Busting Frame Busters[Demo] : Double Framing Attack
  • [eg 1/1] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • [eg 1/2] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • [eg 2/1] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • [eg 2/2] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • [eg 3/1] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • [eg 3/2] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • So do Javascripts solve this issue ? What if I hire this guy to write a frame buster for me Am I safe ??
  • The best FrameBuster so far..<script>if (self == top){ document.documentElement.style.visibility=visible;}else{ top.location = self.location;}</script>Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • Other ways of busting frame busters. ● IE7 var location = “clobbered” <script> var location = "clobbered"; </script> <iframe src="http://www.victim.com"> </iframe> ● [Demo] Google Chrome “sandbox” ● [Demo] window.onbeforeunload()
  • Prevention techniques that work● Ask for a users password.
  • Prevention techniques that work● CAPTCHA
  • Prevention techniques that will always work “ X-Frame-Options ”*Just for the record we are still talking about Clickjacking
  • What are X-Frame-Options ?“The X-Frame-Options HTTP response headercan be used to indicate whether or not a browsershould be allowed to render a page in a <frame>or <iframe>.Sites can use this to avoid clickjacking attacks, byensuring that their content is not embedded intoother sites.” –- MDN
  • Using X-Frame-Options There are three possible values for X-Frame-Options:DENY The page cannot be displayed in a frame, regardless of thesite attempting to do so.SAMEORIGIN The page can only be displayed in a frame on the sameorigin as the page itself.ALLOW-FROM uri The page can only be displayed in a frame on the specifiedorigin. --MDN
  • [Demo] : Setting X-Frame-Options in PHP
  • Any Questions ??
  • THANKS !!!!! Remember …... Clickjacking is LAMELAMERthan
  • References●[White Paper] Busting frame busting: a study of clickjacking vulnerabilities atpopular sites [BIBTEX] by Gustav Rydstedt, Elie Bursztein, Dan Boneh, andCollin Jackson● https://www.owasp.org/index.php/Clickjacking● http://en.wikipedia.org/wiki/Clickjacking● http://en.wikipedia.org/wiki/Framekiller● http://andlabs.org/● http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html