UI Redressing
-
Upload
nu-the-open-security-community -
Category
Education
-
view
2.503 -
download
2
description
Transcript of UI Redressing
![Page 1: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/1.jpg)
<iframe> UI Redressing </iframe>
<script> function PresentedBy(){ document.write(“Jovin Lobo”)}</script>
![Page 2: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/2.jpg)
self.Intro()
Works for Payatu Technologies (www.payatu.com) as an
AppSec Consultant.
Author of 'game|over' – A Linux distro built for learning web app
security.
Member of null – The Open Security Community www.null.co.in
Moderating the #null #Pune Chapter ;)
Very #Annoying too … so u might wanna shoot me in the head
<NOT_Certified> C|EH , AFCEH .. or any other certification </NOT_Certified>
![Page 3: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/3.jpg)
Agenda
Introduction to UI Redressing/Clickjacking.
Elements of basic clickjacking.
Advanced Clickjacking techniques.
Some cool demos :)
Prevention techniques that Suck !!
Prevention techniques that dont ….
Running away as fast as I can before somebody shoots me in the
head.
![Page 4: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/4.jpg)
Already Bored ???
![Page 5: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/5.jpg)
So what is UI Redressing/Clickjacking ??
“ … is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages ”
![Page 6: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/6.jpg)
UI Redress attack a.k.a Clickjacking
The term "clickjacking" was coined by Jeremiah Grossman and Robert 'RSnake' Hansen in 2008.
It is seen as a type of 'Confused Deputy' attack against the browser ….....
![Page 7: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/7.jpg)
Now you are confused …....... arent you ??
Lets watch a video …....
![Page 8: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/8.jpg)
Aaiilaa ... its NOT what it looks like !!!
Pic taken from : http://detower.com/id12.html
![Page 9: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/9.jpg)
In a nut-shell
Pic from :http://www.protecht.ca/blog/clickjacking-niagara
![Page 10: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/10.jpg)
So what do we need to redress the UI
Iframes : Used to embed one website inside another.Syntax : <iframe src=”null.co.in” ></iframe>
Opacity : Used to change the transparency of html elements.
Stacking Order : Using the 'z-index' property we can stack the HTML elements on top of one another.
![Page 11: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/11.jpg)
Basic Clickjacking
[ Demo ]: Basic Clickjacking.
![Page 12: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/12.jpg)
So what about text fields ?
Q: Is it possible to make a user enter text ??
A: YES !!!
Q: But how ??
Muhahahahahahaha...!!!
![Page 13: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/13.jpg)
Advanced Clickjacking Techniques
[ Demo ]: Advanced Clickjacking attack.
[Demo]: Content Extraction using Drag and drop
![Page 14: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/14.jpg)
So we can hijack clicks as well as text …..
Thats practically everything a user does ….
So how do we prevent UI Redress Attacks ??
![Page 15: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/15.jpg)
Prevention techniques that don't always work
*Yes I am still talking about Clickjacking
![Page 16: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/16.jpg)
Frame Busters
“Frame buster / Framekiller is a piece of JavaScript code that prevents a Web page from being displayed within a frame.”
![Page 17: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/17.jpg)
Basic Frame Busting code.
<script > i f { ( top . l o c a t i o n != l o c a t i o n ) top . l o c a t i o n = s e l f . l o c a t i o n ; }</script>
![Page 18: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/18.jpg)
Basic frame busters
[Demo:] Basic Frame Busters
![Page 19: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/19.jpg)
Some common frame busters ..
Credits : Busting Frame Busting:a Study of Clickjacking Vulnerabilities on Popular Sites.
By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
![Page 20: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/20.jpg)
Q: So are we safe from a UI Redress Attack ?A: NO !!!
And here comes “Double Framing Attack”.
![Page 21: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/21.jpg)
Busting Frame Busters
[Demo] : Double Framing Attack
![Page 22: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/22.jpg)
[eg 1/1] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
![Page 23: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/23.jpg)
[eg 1/2] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
![Page 24: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/24.jpg)
[eg 2/1] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
![Page 25: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/25.jpg)
[eg 2/2] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
![Page 26: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/26.jpg)
[eg 3/1] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
![Page 27: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/27.jpg)
[eg 3/2] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
![Page 28: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/28.jpg)
So do Javascripts solve this issue ?
What if I hire this guy to write a frame buster for me
Am I safe ??
![Page 29: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/29.jpg)
The best FrameBuster so far..
<script>
if (self == top){ document.documentElement.style.visibility='visible';}else{ top.location = self.location;}</script>
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
![Page 30: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/30.jpg)
Other ways of busting frame busters.
● IE7 var location = “clobbered” <script> var location = "clobbered";
</script> <iframe src="http://www.victim.com">
</iframe>
● [Demo] Google Chrome “sandbox”
● [Demo] window.onbeforeunload()
![Page 31: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/31.jpg)
Prevention techniques that work
● Ask for a users password.
![Page 32: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/32.jpg)
Prevention techniques that work
● CAPTCHA
![Page 33: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/33.jpg)
Prevention techniques that will always work
“ X-Frame-Options ”
*Just for the record we are still talking about Clickjacking
![Page 34: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/34.jpg)
What are X-Frame-Options ?
“The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.”
–- MDN
![Page 35: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/35.jpg)
Using X-Frame-Options
There are three possible values for X-Frame-Options:
DENY The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri The page can only be displayed in a frame on the specified origin.
--MDN
![Page 36: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/36.jpg)
[Demo] : Setting X-Frame-Options in PHP
![Page 37: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/37.jpg)
Any Questions ??
![Page 38: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/38.jpg)
Remember …... Clickjacking is LAME
LAMER than
THANKS !!!!!
![Page 39: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/39.jpg)
References
● [White Paper] Busting frame busting: a study of clickjacking vulnerabilities at popular sites [BIBTEX] by Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson
● https://www.owasp.org/index.php/Clickjacking● http://en.wikipedia.org/wiki/Clickjacking● http://en.wikipedia.org/wiki/Framekiller● http://andlabs.org/● http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html
![Page 40: UI Redressing](https://reader034.fdocuments.in/reader034/viewer/2022052321/556eb2afd8b42aa32b8b4793/html5/thumbnails/40.jpg)