UI-Redressing Attacks - The Process & Exploitation

1,486 views

Published on

UI-Redressing Attacks - The Process & Exploitation by Amol Naik at c0c0n - International Cyber Security and Policing Conference
http://is-ra.org/c0c0n/speakers.html

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,486
On SlideShare
0
From Embeds
0
Number of Embeds
51
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • Presentation title in CorpoS Regular 9 pt | Department | Date
  • UI-Redressing Attacks - The Process & Exploitation

    1. 1. Mercedes-Benz Research and Development IndiaUI-Redressing AttacksThe Process & ExploitationAmol Naik4th Aug 2012
    2. 2. Mercedes-Benz Research and Development India Agenda • Introduction to UI-Redressing attacks • Server-Side Mitigations • Bug Bounties • Target • Tools • CSS Basics • Exploitation Techniques2 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    3. 3. Mercedes-Benz Research and Development India I am • Web Application Pentester • Bug Hunter – Google, Facebook, Twitter • Web Challenges Coder for nullcon HackIM since 2011 • Winner of ClubHACK preCON 2011 CTF • Active member of Garage4Hackers • Blog at: http://amolnaik4.blogspot.com • Twitter: @amolnaik43 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    4. 4. Mercedes-Benz Research and Development India UI-Redressing Attacks •Change User Interface in Browser • Invisible Iframes • CSS Tricks • HTML5 Drag-Drop •Victims clicks button/link on attacker’s site •He/She actually clicking on Vulnerable Site4 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    5. 5. Mercedes-Benz Research and Development India UI-Redressing Attacks5 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    6. 6. Mercedes-Benz Research and Development India Impact • One Click Attack • CSRF Protection Bypass • Cross-Domain Content Extraction • Exploit “Self XSS”6 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    7. 7. Mercedes-Benz Research and Development India Server-Side Mitigations • X-Frame-Options - HTTP Response Header - Supported by all latest browsers • X-Frame-Options: DENY - The page can not be rendered in a frame, regardless of the site attempting to do so • X-Frame-Options: SAMEORIGIN - The page can only be rendered in a frame on the same origin as the page itself7 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    8. 8. Mercedes-Benz Research and Development India Server-Side Mitigations • Frame Bursting Code - JavaScript - Ensures the current frame is the most top level window8 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    9. 9. Mercedes-Benz Research and Development India Bug Bounties • Google - Bounty Price upto $3133.7 - XSS, CSRF main focus - Researcher will be listed in Google Security Hall of Fame • Facebook - Bounty price upto $5000 - XSS, CSRF, Open Redirect, Database Injection - Researcher will be listed in Facebook WhiteHat List9 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    10. 10. Mercedes-Benz Research and Development India Target • CSRF Protected actions • Pages with sensitive information in page-source • Self XSS10 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    11. 11. Mercedes-Benz Research and Development India Tools11 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    12. 12. Mercedes-Benz Research and Development India CSS Basics • Opacity - Set Transparency to an element • Top,Left - Negative values shifts elements out of browser window • Position - Static (default) - Relative - Absolute - Fixed12 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    13. 13. Mercedes-Benz Research and Development India Exploitation Techniques13 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    14. 14. Mercedes-Benz Research and Development India Simple Clickjacking • Google - Remove Google Books Service - FIXED • Facebook - Add Any Facebook App - FIXED14 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    15. 15. Mercedes-Benz Research and Development India Hijack 2 Clicks • Google - Remove Google Web History, Health & Orkut - FIXED15 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    16. 16. Mercedes-Benz Research and Development India Cross-Domain Content Extraction • Facebook - Get Token from page-source - Use of HTML5 Drag-Drop - Only possible in FireFox 13 - FIXED16 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    17. 17. Mercedes-Benz Research and Development India Fake Captcha • Facebook - Get Token - FIXED17 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    18. 18. Mercedes-Benz Research and Development India Self-XSS • Scenario - Input field is vulnerable to XSS - Vulnerable page sends user input to other page - And output is reflected to vulnerable page - Ajax call used to send the user data - GET/POST XSS exploitation method doesn’t work - How to exploit ?18 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    19. 19. Mercedes-Benz Research and Development India Self-XSS • Solution - HTML5 Drag-Drop • Google - Google Map examples - Google Base examples - FIXED19 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    20. 20. Mercedes-Benz Research and Development India Bursting Frame Buster • Adobe - Adobe Flash Manager Setting page - Discovered & reported by “Nafeez Ahmed AKA skeptic_fx” - “204 No Content” is the trick - FIXED20 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    21. 21. Mercedes-Benz Research and Development India Thanks • Lavakumar K : http://www.andlabs.org • Kotowicz : http://blog.kotowicz.net • Nafeez Ahmed : http://blog.skepticfx.com • Marcus Niemietz : “UI Redressing: Attacks & Countermeasures Revisited” • OWASP : http://www.owasp.org • Imperva : http://www.imperva.com • W3School : http://www.w3school.com21 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
    22. 22. Mercedes-Benz Research and Development India Questions • Amol Naik - http://amolnaik4.blogspot.com - @amolnaik422 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

    ×