<iframe>   UI Redressing   </iframe>                     <script>                     function PresentedBy()              ...
self.Intro() Works for Payatu Technologies (www.payatu.com) as an  AppSec Consultant. Author of game|over – A Linux distro...
Agenda Introduction to UI Redressing/Clickjacking. Elements of basic clickjacking. Advanced Clickjacking techniques. Some ...
Already Bored ???
So what is UI Redressing/Clickjacking ??“ … is a malicious technique of tricking a Web user intoclicking on something diff...
UI Redress attack a.k.a ClickjackingThe term "clickjacking" was coined by JeremiahGrossman and Robert RSnake Hansen in 200...
Now you are confused ….......                     arent you ??Lets watch a video …....
Aaiilaa ... its NOT what it looks                           like !!!   Pic taken from : http://detower.com/id12.html
In a nut-shellPic from :http://www.protecht.ca/blog/clickjacking-niagara
So what do we need to redress the UIIframes : Used to embed one website inside another.Syntax : <iframe src=”null.co.in” >...
Basic Clickjacking[ Demo ]: Basic Clickjacking.
So what about text fields ?Q: Is it possible to make a user enter text ??A: YES !!!Q: But how ??                          ...
Advanced Clickjacking Techniques    [ Demo ]: Advanced Clickjacking attack.[Demo]: Content Extraction using Drag and drop
So we can hijack clicks as well as text …..       Thats practically everything a user does ….  So how do we prevent UI Red...
Prevention techniques that dont always                                  work          *Yes I am still talking about Clickj...
Frame Busters“Frame buster / Framekiller is a piece of JavaScript codethat prevents a Web page from being displayed within...
Basic Frame Busting code.<script >  if   {       ( top . l o c a t i o n != l o c a t i o n )       top . l o c a t i o n ...
Basic frame busters[Demo:] Basic Frame Busters
Some common frame busters ..                            Credits :              Busting Frame Busting:              a Study...
Q: So are we safe from a UI Redress Attack ?A: NO !!!And here comes “Double Framing Attack”.
Busting Frame Busters[Demo] : Double Framing Attack
[eg 1/1] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites...
[eg 1/2] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites...
[eg 2/1] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites...
[eg 2/2] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites...
[eg 3/1] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites...
[eg 3/2] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites...
So do Javascripts solve this issue ?                 What if I hire    this guy to write a frame    buster for me   Am I s...
The best FrameBuster so far..<script>if (self == top){ document.documentElement.style.visibility=visible;}else{ top.locati...
Other ways of busting frame busters. ●   IE7 var location = “clobbered”                 <script> var location = "clobbered...
Prevention techniques that work●   Ask for a users password.
Prevention techniques that work●   CAPTCHA
Prevention techniques that will                     always work                “ X-Frame-Options ”*Just for the record we ...
What are X-Frame-Options ?“The X-Frame-Options HTTP response headercan be used to indicate whether or not a browsershould ...
Using X-Frame-Options    There are three possible values for X-Frame-Options:DENY   The page cannot be displayed in a fram...
[Demo] : Setting X-Frame-Options in PHP
Any Questions ??
THANKS !!!!!        Remember …... Clickjacking is                              LAMELAMERthan
References●[White Paper] Busting frame busting: a study of clickjacking vulnerabilities atpopular sites [BIBTEX] by Gustav...
UI Redressing
Upcoming SlideShare
Loading in …5
×

UI Redressing

2,816 views

Published on

February 2013 - null Pune Chapter Meet

Published in: Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,816
On SlideShare
0
From Embeds
0
Number of Embeds
347
Actions
Shares
0
Downloads
23
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

UI Redressing

  1. 1. <iframe> UI Redressing </iframe> <script> function PresentedBy() { document.write(“Jovin Lobo”) } </script>
  2. 2. self.Intro() Works for Payatu Technologies (www.payatu.com) as an AppSec Consultant. Author of game|over – A Linux distro built for learning web appsecurity. Member of null – The Open Security Community www.null.co.in Moderating the #null #Pune Chapter ;) Very #Annoying too … so u might wanna shoot me in the head<NOT_Certified>C|EH , AFCEH .. or any other certification</NOT_Certified>
  3. 3. Agenda Introduction to UI Redressing/Clickjacking. Elements of basic clickjacking. Advanced Clickjacking techniques. Some cool demos :) Prevention techniques that Suck !! Prevention techniques that dont …. Running away as fast as I can before somebody shoots me in thehead.
  4. 4. Already Bored ???
  5. 5. So what is UI Redressing/Clickjacking ??“ … is a malicious technique of tricking a Web user intoclicking on something different from what the userperceives they are clicking on, thus potentially revealingconfidential information or taking control of their computerwhile clicking on seemingly innocuous web pages ”
  6. 6. UI Redress attack a.k.a ClickjackingThe term "clickjacking" was coined by JeremiahGrossman and Robert RSnake Hansen in 2008.It is seen as a type of Confused Deputy attackagainst the browser ….....
  7. 7. Now you are confused …....... arent you ??Lets watch a video …....
  8. 8. Aaiilaa ... its NOT what it looks like !!! Pic taken from : http://detower.com/id12.html
  9. 9. In a nut-shellPic from :http://www.protecht.ca/blog/clickjacking-niagara
  10. 10. So what do we need to redress the UIIframes : Used to embed one website inside another.Syntax : <iframe src=”null.co.in” ></iframe>Opacity : Used to change the transparency of htmlelements. Stacking Order : Using the z-index property we canstack the HTML elements on top of one another.
  11. 11. Basic Clickjacking[ Demo ]: Basic Clickjacking.
  12. 12. So what about text fields ?Q: Is it possible to make a user enter text ??A: YES !!!Q: But how ?? Muhahahahahahaha...!!!
  13. 13. Advanced Clickjacking Techniques [ Demo ]: Advanced Clickjacking attack.[Demo]: Content Extraction using Drag and drop
  14. 14. So we can hijack clicks as well as text ….. Thats practically everything a user does …. So how do we prevent UI Redress Attacks ??
  15. 15. Prevention techniques that dont always work *Yes I am still talking about Clickjacking
  16. 16. Frame Busters“Frame buster / Framekiller is a piece of JavaScript codethat prevents a Web page from being displayed within aframe.”
  17. 17. Basic Frame Busting code.<script > if { ( top . l o c a t i o n != l o c a t i o n ) top . l o c a t i o n = s e l f . l o c a t i o n ; }</script>
  18. 18. Basic frame busters[Demo:] Basic Frame Busters
  19. 19. Some common frame busters .. Credits : Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  20. 20. Q: So are we safe from a UI Redress Attack ?A: NO !!!And here comes “Double Framing Attack”.
  21. 21. Busting Frame Busters[Demo] : Double Framing Attack
  22. 22. [eg 1/1] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  23. 23. [eg 1/2] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  24. 24. [eg 2/1] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  25. 25. [eg 2/2] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  26. 26. [eg 3/1] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  27. 27. [eg 3/2] Frame Busters gone wrongCredits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  28. 28. So do Javascripts solve this issue ? What if I hire this guy to write a frame buster for me Am I safe ??
  29. 29. The best FrameBuster so far..<script>if (self == top){ document.documentElement.style.visibility=visible;}else{ top.location = self.location;}</script>Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  30. 30. Other ways of busting frame busters. ● IE7 var location = “clobbered” <script> var location = "clobbered"; </script> <iframe src="http://www.victim.com"> </iframe> ● [Demo] Google Chrome “sandbox” ● [Demo] window.onbeforeunload()
  31. 31. Prevention techniques that work● Ask for a users password.
  32. 32. Prevention techniques that work● CAPTCHA
  33. 33. Prevention techniques that will always work “ X-Frame-Options ”*Just for the record we are still talking about Clickjacking
  34. 34. What are X-Frame-Options ?“The X-Frame-Options HTTP response headercan be used to indicate whether or not a browsershould be allowed to render a page in a <frame>or <iframe>.Sites can use this to avoid clickjacking attacks, byensuring that their content is not embedded intoother sites.” –- MDN
  35. 35. Using X-Frame-Options There are three possible values for X-Frame-Options:DENY The page cannot be displayed in a frame, regardless of thesite attempting to do so.SAMEORIGIN The page can only be displayed in a frame on the sameorigin as the page itself.ALLOW-FROM uri The page can only be displayed in a frame on the specifiedorigin. --MDN
  36. 36. [Demo] : Setting X-Frame-Options in PHP
  37. 37. Any Questions ??
  38. 38. THANKS !!!!! Remember …... Clickjacking is LAMELAMERthan
  39. 39. References●[White Paper] Busting frame busting: a study of clickjacking vulnerabilities atpopular sites [BIBTEX] by Gustav Rydstedt, Elie Bursztein, Dan Boneh, andCollin Jackson● https://www.owasp.org/index.php/Clickjacking● http://en.wikipedia.org/wiki/Clickjacking● http://en.wikipedia.org/wiki/Framekiller● http://andlabs.org/● http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html

×