Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Clickjacking DevCon2011

4,374 views

Published on

Published in: Technology, Design
  • Be the first to comment

Clickjacking DevCon2011

  1. 1. Developer Conference 2011<br />MICROSOFT USER GROUP HYDERABAD<br />
  2. 2. It is this easy to steal your click!<br />(Secure Web Development)<br />Krishna Chaitanya T<br />Security & Privacy Research Lab, Infosys Labs<br />Microsoft MVP - Internet Explorer<br />http://novogeek.com | @novogeek<br />
  3. 3. Agenda!<br />Saw these on Facebook?<br />Your genuine web page can be victim as well! Lets secure!!<br />
  4. 4. Clickjacking<br />Discovered in 2008-Robert Hansen, Jeremiah Grossman<br />Forces a victim to unintentionally click on invisible page<br />Made possible by overlaying transparent layers<br />Basic clickjacking: <br />Positioning via CSS (JS not required!) <br />Follow mouse cursor via JS<br />Advanced techniques:<br />Clickjacking + XSS<br />Clickjacking + CSRF<br />Clickjacking + HTML5 Drag/Drop API<br />
  5. 5. The mischievous <iFrame> tag<br />A web page can embed another web page via iframe<br /><iframesrc="http://bing.com"></iframe><br />CSS opacity attribute: 1 = visible, 0 = invisible<br />
  6. 6. Clickjacking using CSS & JS<br />demo <br />
  7. 7. Frame Busting!<br />Techniques for preventing your site from being framed<br />Common frame busting code:<br />if (top != self) { //condition<br />top.location = self.location; //counter action<br />}<br />
  8. 8. Survey<br />Acknowledgement:All survey content from Stanford Web Security Research Lab<br />
  9. 9. What’s wrong?<br />Walmart.com <br />if (top.location != location) {<br /> if(document.referrer &&<br />document.referrer.indexOf("walmart.com") == -1)<br /> { top.location.replace(document.location.href); } }<br />USBank.com<br />if (self != top) {<br />var domain = getDomain(document.referrer);<br />varokDomains = /usbank|localhost|usbnet/;<br />domain.search(okDomains);if (matchDomain == -1) {<br /> /* frame bust */ } }<br />Many<br />if(top.location != self.location) {<br />parent.location= self.location;<br /> }<br /><ul><li>Error in Referrer checking. Attacker URL can be: http://www.attacker.com/walmart.com.html
  10. 10. Error in Referrer checking. Attacker URL can be: http://usbank.attacker.com
  11. 11. ‘parent’ refers to the window available one level higher. So Double framing will break this.</li></li></ul><li>Busting Frame busting!<br />HTML5 Sandbox<br /><iframe sandbox src=“http://www.victim.com”><br /><ul><li>JavaScript is disabled!
  12. 12. Prevents XSS
  13. 13. Prevents Defacement
  14. 14. Facilitates clickjacking!</li></ul>onBeforeUnloadEvent<br /><h1>www.attacker.com</h1><br /><script><br />window.onbeforeunload = function() {<br /> return "Do you want to leave your favorite site?";<br />}<br /></script><br /><iframesrc="http://www.paypal.com"><br />XSS Filters<br /><ul><li>XSS filters in browsers block this iframe!</li></ul><iframesrc="http://www.example.org/?xyz=%3Cscript%20type=%22text/javascript%22%3<br />Eif"></iframe><br />204-HTTP header<br />varprevent_bust = 0<br />window.onbeforeunload = function() {kill_bust++ }<br />setInterval(function() {<br /> if (kill_bust > 0) {<br />kill_bust -= 2;<br />window.top.location = 'http://no-content-204.com'<br /> }<br />}, 1);<br /><iframesrc="http://www.victim.com"><br />Mobile sites<br /><ul><li>Non mobile sites do frame busting
  15. 15. What about their mobile versions?</li></li></ul><li>Is there any hope? <br />
  16. 16. X-Frame-Options<br />The savior! Innovative idea introduced by Microsoft in IE8<br />HTTP header sent on response.<br />Possible values- “DENY” and “SAMEORIGIN”<br />Implemented by most of the modern browsers<br />Need not depend on JavaScript!<br />Ex: Response.AddHeader("X-Frame-Options", "DENY");<br />Limitations:<br />Poor adoption by sites (Coz of developer ignorance!)<br />No whitelisting – Either block all, or allow all.<br />Nevertheless, advantages outweigh disadvantages.<br />Content Security Policy (CSP) introduced by Mozilla<br />
  17. 17. Best JS solution<br /><style>html { visibility: hidden }</style><br /><script><br />if (self == top) {<br />document.documentElement.style.visibility = 'visible';<br />} else {<br />top.location = self.location; <br />}<br /></script><br />
  18. 18. Frame Busting (X - Frame - Options & JavaScript solutions)<br />demo <br />
  19. 19. Its your turn now!<br />Are your sites clickjacking proof?<br />Think about a one-click approval button being clickjacked!<br />Go back and add X-Frame-Options header to your web projects at office (and earn goodwill of your boss )<br />If you are on old browsers, have JS protection in place<br />If a link on Facebook opens a new window, be highly cautious and avoid clicking. Inquisitive? Check for hidden <iframe> ;)<br />Check your social apps and revoke access if not used.<br />We learnt to break things to build better things. Ethics plz!<br />
  20. 20. References<br />“Busting frame busting: a study of clickjacking vulnerabilities at popular sites” – Research paper by Stanford Web Security researchers.<br />Birth of a Security Feature: ClickJackingDefense-IE Blog<br />IE8 Security part VII – Clickjacking Defenses – IE Blog<br />
  21. 21. I’m Done!<br />Blog: novogeek.com <br />Twitter: @novogeek<br />
  22. 22. Sponsors<br />

×