SlideShare a Scribd company logo

UI Redressing

n|u - The Open Security Community
n|u - The Open Security Community

Jovin Lobo presented on UI redressing and clickjacking attacks. He began with an introduction to clickjacking, demonstrating basic techniques like using iframes and adjusting opacity to trick users. More advanced demos showed how clicks and text input could be hijacked. Framebusting code is commonly used for prevention but has limitations. The most effective prevention is using the X-Frame-Options HTTP header to control whether pages can be framed or displayed in iframes.

Related slideshows

Preventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code ExecutionPreventing In-Browser Malicious Code Execution
Preventing In-Browser Malicious Code Execution
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
1 of 40
Download to read offline
<iframe> UI Redressing </iframe> <script> function PresentedBy() { document.write(“Jovin Lobo”) } </script>
self.Intro() Works for Payatu Technologies (www.payatu.com) as an AppSec Consultant. Author of 'game|over' – A Linux distro built for learning web app security. Member of null – The Open Security Community www.null.co.in Moderating the #null #Pune Chapter ;) Very #Annoying too … so u might wanna shoot me in the head <NOT_Certified> C|EH , AFCEH .. or any other certification </NOT_Certified>
Agenda Introduction to UI Redressing/Clickjacking. Elements of basic clickjacking. Advanced Clickjacking techniques. Some cool demos :) Prevention techniques that Suck !! Prevention techniques that dont …. Running away as fast as I can before somebody shoots me in the head.
Already Bored ???
So what is UI Redressing/Clickjacking ?? “ … is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages ”
UI Redress attack a.k.a Clickjacking The term "clickjacking" was coined by Jeremiah Grossman and Robert 'RSnake' Hansen in 2008. It is seen as a type of 'Confused Deputy' attack against the browser ….....
Now you are confused …....... arent you ?? Lets watch a video …....
Aaiilaa ... its NOT what it looks like !!! Pic taken from : http://detower.com/id12.html
In a nut-shell Pic from :http://www.protecht.ca/blog/clickjacking-niagara
So what do we need to redress the UI Iframes : Used to embed one website inside another. Syntax : <iframe src=”null.co.in” ></iframe> Opacity : Used to change the transparency of html elements. Stacking Order : Using the 'z-index' property we can stack the HTML elements on top of one another.
Basic Clickjacking [ Demo ]: Basic Clickjacking.
So what about text fields ? Q: Is it possible to make a user enter text ?? A: YES !!! Q: But how ?? Muhahahahahahaha...!!!
Advanced Clickjacking Techniques [ Demo ]: Advanced Clickjacking attack. [Demo]: Content Extraction using Drag and drop
So we can hijack clicks as well as text ….. Thats practically everything a user does …. So how do we prevent UI Redress Attacks ??
Prevention techniques that don't always work *Yes I am still talking about Clickjacking
Frame Busters “Frame buster / Framekiller is a piece of JavaScript code that prevents a Web page from being displayed within a frame.”
Basic Frame Busting code. <script > if { ( top . l o c a t i o n != l o c a t i o n ) top . l o c a t i o n = s e l f . l o c a t i o n ; } </script>
Basic frame busters [Demo:] Basic Frame Busters
Some common frame busters .. Credits : Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
Q: So are we safe from a UI Redress Attack ? A: NO !!! And here comes “Double Framing Attack”.
Busting Frame Busters [Demo] : Double Framing Attack
[eg 1/1] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
[eg 1/2] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
[eg 2/1] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
[eg 2/2] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
[eg 3/1] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
[eg 3/2] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
So do Javascripts solve this issue ? What if I hire this guy to write a frame buster for me Am I safe ??
The best FrameBuster so far.. <script> if (self == top) { document.documentElement.style.visibility='visible'; } else { top.location = self.location; } </script> Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
Other ways of busting frame busters. ● IE7 var location = “clobbered” <script> var location = "clobbered"; </script> <iframe src="http://www.victim.com"> </iframe> ● [Demo] Google Chrome “sandbox” ● [Demo] window.onbeforeunload()
Prevention techniques that work ● Ask for a users password.
Prevention techniques that work ● CAPTCHA
Prevention techniques that will always work “ X-Frame-Options ” *Just for the record we are still talking about Clickjacking
What are X-Frame-Options ? “The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.” –- MDN
Using X-Frame-Options There are three possible values for X-Frame-Options: DENY The page cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself. ALLOW-FROM uri The page can only be displayed in a frame on the specified origin. --MDN
[Demo] : Setting X-Frame-Options in PHP
Any Questions ??
THANKS !!!!! Remember …... Clickjacking is LAME LAMER than
References ●[White Paper] Busting frame busting: a study of clickjacking vulnerabilities at popular sites [BIBTEX] by Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson ● https://www.owasp.org/index.php/Clickjacking ● http://en.wikipedia.org/wiki/Clickjacking ● http://en.wikipedia.org/wiki/Framekiller ● http://andlabs.org/ ● http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html
UI Redressing

More Related Content

UI Redressing

  • 1. <iframe> UI Redressing </iframe> <script> function PresentedBy() { document.write(“Jovin Lobo”) } </script>
  • 2. self.Intro() Works for Payatu Technologies (www.payatu.com) as an AppSec Consultant. Author of 'game|over' – A Linux distro built for learning web app security. Member of null – The Open Security Community www.null.co.in Moderating the #null #Pune Chapter ;) Very #Annoying too … so u might wanna shoot me in the head <NOT_Certified> C|EH , AFCEH .. or any other certification </NOT_Certified>
  • 3. Agenda Introduction to UI Redressing/Clickjacking. Elements of basic clickjacking. Advanced Clickjacking techniques. Some cool demos :) Prevention techniques that Suck !! Prevention techniques that dont …. Running away as fast as I can before somebody shoots me in the head.
  • 5. So what is UI Redressing/Clickjacking ?? “ … is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages ”
  • 6. UI Redress attack a.k.a Clickjacking The term "clickjacking" was coined by Jeremiah Grossman and Robert 'RSnake' Hansen in 2008. It is seen as a type of 'Confused Deputy' attack against the browser ….....
  • 7. Now you are confused …....... arent you ?? Lets watch a video …....
  • 8. Aaiilaa ... its NOT what it looks like !!! Pic taken from : http://detower.com/id12.html
  • 9. In a nut-shell Pic from :http://www.protecht.ca/blog/clickjacking-niagara
  • 10. So what do we need to redress the UI Iframes : Used to embed one website inside another. Syntax : <iframe src=”null.co.in” ></iframe> Opacity : Used to change the transparency of html elements. Stacking Order : Using the 'z-index' property we can stack the HTML elements on top of one another.
  • 11. Basic Clickjacking [ Demo ]: Basic Clickjacking.
  • 12. So what about text fields ? Q: Is it possible to make a user enter text ?? A: YES !!! Q: But how ?? Muhahahahahahaha...!!!
  • 13. Advanced Clickjacking Techniques [ Demo ]: Advanced Clickjacking attack. [Demo]: Content Extraction using Drag and drop
  • 14. So we can hijack clicks as well as text ….. Thats practically everything a user does …. So how do we prevent UI Redress Attacks ??
  • 15. Prevention techniques that don't always work *Yes I am still talking about Clickjacking
  • 16. Frame Busters “Frame buster / Framekiller is a piece of JavaScript code that prevents a Web page from being displayed within a frame.”
  • 17. Basic Frame Busting code. <script > if { ( top . l o c a t i o n != l o c a t i o n ) top . l o c a t i o n = s e l f . l o c a t i o n ; } </script>
  • 18. Basic frame busters [Demo:] Basic Frame Busters
  • 19. Some common frame busters .. Credits : Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • 20. Q: So are we safe from a UI Redress Attack ? A: NO !!! And here comes “Double Framing Attack”.
  • 21. Busting Frame Busters [Demo] : Double Framing Attack
  • 22. [eg 1/1] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • 23. [eg 1/2] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • 24. [eg 2/1] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • 25. [eg 2/2] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • 26. [eg 3/1] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • 27. [eg 3/2] Frame Busters gone wrong Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • 28. So do Javascripts solve this issue ? What if I hire this guy to write a frame buster for me Am I safe ??
  • 29. The best FrameBuster so far.. <script> if (self == top) { document.documentElement.style.visibility='visible'; } else { top.location = self.location; } </script> Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
  • 30. Other ways of busting frame busters. ● IE7 var location = “clobbered” <script> var location = "clobbered"; </script> <iframe src="http://www.victim.com"> </iframe> ● [Demo] Google Chrome “sandbox” ● [Demo] window.onbeforeunload()
  • 31. Prevention techniques that work ● Ask for a users password.
  • 32. Prevention techniques that work ● CAPTCHA
  • 33. Prevention techniques that will always work “ X-Frame-Options ” *Just for the record we are still talking about Clickjacking
  • 34. What are X-Frame-Options ? “The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.” –- MDN
  • 35. Using X-Frame-Options There are three possible values for X-Frame-Options: DENY The page cannot be displayed in a frame, regardless of the site attempting to do so. SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself. ALLOW-FROM uri The page can only be displayed in a frame on the specified origin. --MDN
  • 36. [Demo] : Setting X-Frame-Options in PHP
  • 38. THANKS !!!!! Remember …... Clickjacking is LAME LAMER than
  • 39. References ●[White Paper] Busting frame busting: a study of clickjacking vulnerabilities at popular sites [BIBTEX] by Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson ● https://www.owasp.org/index.php/Clickjacking ● http://en.wikipedia.org/wiki/Clickjacking ● http://en.wikipedia.org/wiki/Framekiller ● http://andlabs.org/ ● http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html