1. Developer Conference 2011 MICROSOFT USER GROUP HYDERABAD

2. It is this easy to steal your click! (Secure Web Development) Krishna Chaitanya T Security & Privacy Research Lab, Infosys Labs Microsoft MVP - Internet Explorer http://novogeek.com | @novogeek

3. Agenda! Saw these on Facebook? Your genuine web page can be victim as well! Lets secure!!

4. Clickjacking Discovered in 2008-Robert Hansen, Jeremiah Grossman Forces a victim to unintentionally click on invisible page Made possible by overlaying transparent layers Basic clickjacking: Positioning via CSS (JS not required!) Follow mouse cursor via JS Advanced techniques: Clickjacking + XSS Clickjacking + CSRF Clickjacking + HTML5 Drag/Drop API

5. The mischievous <iFrame> tag A web page can embed another web page via iframe <iframesrc="http://bing.com"></iframe> CSS opacity attribute: 1 = visible, 0 = invisible

6. Clickjacking using CSS & JS demo

7. Frame Busting! Techniques for preventing your site from being framed Common frame busting code: if (top != self) { //condition top.location = self.location; //counter action }

8. Survey Acknowledgement:All survey content from Stanford Web Security Research Lab

10. Error in Referrer checking. Attacker URL can be: http://usbank.attacker.com

12. Prevents XSS

13. Prevents Defacement

16. X-Frame-Options The savior! Innovative idea introduced by Microsoft in IE8 HTTP header sent on response. Possible values- “DENY” and “SAMEORIGIN” Implemented by most of the modern browsers Need not depend on JavaScript! Ex: Response.AddHeader("X-Frame-Options", "DENY"); Limitations: Poor adoption by sites (Coz of developer ignorance!) No whitelisting – Either block all, or allow all. Nevertheless, advantages outweigh disadvantages. Content Security Policy (CSP) introduced by Mozilla

17. Best JS solution <style>html { visibility: hidden }</style> <script> if (self == top) { document.documentElement.style.visibility = 'visible'; } else { top.location = self.location; } </script>

18. Frame Busting (X - Frame - Options & JavaScript solutions) demo

19. Its your turn now! Are your sites clickjacking proof? Think about a one-click approval button being clickjacked! Go back and add X-Frame-Options header to your web projects at office (and earn goodwill of your boss ) If you are on old browsers, have JS protection in place If a link on Facebook opens a new window, be highly cautious and avoid clicking. Inquisitive? Check for hidden <iframe> ;) Check your social apps and revoke access if not used. We learnt to break things to build better things. Ethics plz!

20. References “Busting frame busting: a study of clickjacking vulnerabilities at popular sites” – Research paper by Stanford Web Security researchers. Birth of a Security Feature: ClickJackingDefense-IE Blog IE8 Security part VII – Clickjacking Defenses – IE Blog

21. I’m Done! Blog: novogeek.com Twitter: @novogeek

22. Sponsors