The document summarizes techniques for preventing clickjacking attacks, including frame busting code, the X-Frame-Options HTTP header, and Content Security Policy. It provides examples of how to implement these techniques and their limitations. It encourages attendees to check their own websites and applications for clickjacking vulnerabilities and ways to secure them against these risks.

1. Developer Conference 2011 MICROSOFT USER GROUP HYDERABAD

2. It is this easy to steal your click! (Secure Web Development) Krishna Chaitanya T Security & Privacy Research Lab, Infosys Labs Microsoft MVP - Internet Explorer http://novogeek.com | @novogeek

3. Agenda! Saw these on Facebook? Your genuine web page can be victim as well! Lets secure!!

4. Clickjacking Discovered in 2008-Robert Hansen, Jeremiah Grossman Forces a victim to unintentionally click on invisible page Made possible by overlaying transparent layers Basic clickjacking: Positioning via CSS (JS not required!) Follow mouse cursor via JS Advanced techniques: Clickjacking + XSS Clickjacking + CSRF Clickjacking + HTML5 Drag/Drop API

5. The mischievous <iFrame> tag A web page can embed another web page via iframe <iframesrc="http://bing.com"></iframe> CSS opacity attribute: 1 = visible, 0 = invisible

6. Clickjacking using CSS & JS demo

7. Frame Busting! Techniques for preventing your site from being framed Common frame busting code: if (top != self) { //condition top.location = self.location; //counter action }

8. Survey Acknowledgement:All survey content from Stanford Web Security Research Lab

10. Error in Referrer checking. Attacker URL can be: http://usbank.attacker.com

12. Prevents XSS

13. Prevents Defacement

16. X-Frame-Options The savior! Innovative idea introduced by Microsoft in IE8 HTTP header sent on response. Possible values- “DENY” and “SAMEORIGIN” Implemented by most of the modern browsers Need not depend on JavaScript! Ex: Response.AddHeader("X-Frame-Options", "DENY"); Limitations: Poor adoption by sites (Coz of developer ignorance!) No whitelisting – Either block all, or allow all. Nevertheless, advantages outweigh disadvantages. Content Security Policy (CSP) introduced by Mozilla

17. Best JS solution <style>html { visibility: hidden }</style> <script> if (self == top) { document.documentElement.style.visibility = 'visible'; } else { top.location = self.location; } </script>

18. Frame Busting (X - Frame - Options & JavaScript solutions) demo

19. Its your turn now! Are your sites clickjacking proof? Think about a one-click approval button being clickjacked! Go back and add X-Frame-Options header to your web projects at office (and earn goodwill of your boss ) If you are on old browsers, have JS protection in place If a link on Facebook opens a new window, be highly cautious and avoid clicking. Inquisitive? Check for hidden <iframe> ;) Check your social apps and revoke access if not used. We learnt to break things to build better things. Ethics plz!

20. References “Busting frame busting: a study of clickjacking vulnerabilities at popular sites” – Research paper by Stanford Web Security researchers. Birth of a Security Feature: ClickJackingDefense-IE Blog IE8 Security part VII – Clickjacking Defenses – IE Blog

21. I’m Done! Blog: novogeek.com Twitter: @novogeek

22. Sponsors