The document summarizes techniques for preventing clickjacking attacks, including frame busting code, the X-Frame-Options HTTP header, and Content Security Policy. It provides examples of how to implement these techniques and their limitations. It encourages attendees to check their own websites and applications for clickjacking vulnerabilities and ways to secure them against these risks.

1. Developer Conference 2011MICROSOFT USER GROUP HYDERABAD

2. It is this easy to steal your click!(Secure Web Development)Krishna Chaitanya TSecurity & Privacy Research Lab, Infosys LabsMicrosoft MVP - Internet Explorerhttp://novogeek.com | @novogeek

3. Agenda!Saw these on Facebook?Your genuine web page can be victim as well! Lets secure!!

4. ClickjackingDiscovered in 2008-Robert Hansen, Jeremiah GrossmanForces a victim to unintentionally click on invisible pageMade possible by overlaying transparent layersBasic clickjacking: Positioning via CSS (JS not required!) Follow mouse cursor via JSAdvanced techniques:Clickjacking + XSSClickjacking + CSRFClickjacking + HTML5 Drag/Drop API

5. The mischievous <iFrame> tagA web page can embed another web page via iframe<iframesrc="http://bing.com"></iframe>CSS opacity attribute: 1 = visible, 0 = invisible

6. Clickjacking using CSS & JSdemo

7. Frame Busting!Techniques for preventing your site from being framedCommon frame busting code:if (top != self) { //conditiontop.location = self.location; //counter action}

8. SurveyAcknowledgement:All survey content from Stanford Web Security Research Lab

9. What’s wrong?Walmart.com if (top.location != location) { if(document.referrer &&document.referrer.indexOf("walmart.com") == -1) { top.location.replace(document.location.href); } }USBank.comif (self != top) {var domain = getDomain(document.referrer);varokDomains = /usbank|localhost|usbnet/;domain.search(okDomains);if (matchDomain == -1) { /* frame bust */ } }Manyif(top.location != self.location) {parent.location= self.location; }Error in Referrer checking. Attacker URL can be: http://www.attacker.com/walmart.com.html

10. Error in Referrer checking. Attacker URL can be: http://usbank.attacker.com

11. ‘parent’ refers to the window available one level higher. So Double framing will break this.Busting Frame busting!HTML5 Sandbox<iframe sandbox src=“http://www.victim.com”>JavaScript is disabled!

12. Prevents XSS

13. Prevents Defacement

14. Facilitates clickjacking!onBeforeUnloadEvent<h1>www.attacker.com</h1><script>window.onbeforeunload = function() { return "Do you want to leave your favorite site?";}</script><iframesrc="http://www.paypal.com">XSS FiltersXSS filters in browsers block this iframe!<iframesrc="http://www.example.org/?xyz=%3Cscript%20type=%22text/javascript%22%3Eif"></iframe>204-HTTP headervarprevent_bust = 0window.onbeforeunload = function() {kill_bust++ }setInterval(function() { if (kill_bust > 0) {kill_bust -= 2;window.top.location = 'http://no-content-204.com' }}, 1);<iframesrc="http://www.victim.com">Mobile sitesNon mobile sites do frame busting

15. What about their mobile versions?Is there any hope?

16. X-Frame-OptionsThe savior! Innovative idea introduced by Microsoft in IE8HTTP header sent on response.Possible values- “DENY” and “SAMEORIGIN”Implemented by most of the modern browsersNeed not depend on JavaScript!Ex: Response.AddHeader("X-Frame-Options", "DENY");Limitations:Poor adoption by sites (Coz of developer ignorance!)No whitelisting – Either block all, or allow all.Nevertheless, advantages outweigh disadvantages.Content Security Policy (CSP) introduced by Mozilla

17. Best JS solution<style>html { visibility: hidden }</style><script>if (self == top) {document.documentElement.style.visibility = 'visible';} else {top.location = self.location; }</script>

18. Frame Busting (X - Frame - Options & JavaScript solutions)demo