Jovin Lobo presented on UI redressing and clickjacking attacks. He began with an introduction to clickjacking, demonstrating basic techniques like using iframes and adjusting opacity to trick users. More advanced demos showed how clicks and text input could be hijacked. Framebusting code is commonly used for prevention but has limitations. The most effective prevention is using the X-Frame-Options HTTP header to control whether pages can be framed or displayed in iframes.
2. self.Intro()
Works for Payatu Technologies (www.payatu.com) as an
AppSec Consultant.
Author of 'game|over' – A Linux distro built for learning web app
security.
Member of null – The Open Security Community www.null.co.in
Moderating the #null #Pune Chapter ;)
Very #Annoying too … so u might wanna shoot me in the head
<NOT_Certified>
C|EH , AFCEH .. or any other certification
</NOT_Certified>
3. Agenda
Introduction to UI Redressing/Clickjacking.
Elements of basic clickjacking.
Advanced Clickjacking techniques.
Some cool demos :)
Prevention techniques that Suck !!
Prevention techniques that dont ….
Running away as fast as I can before somebody shoots me in the
head.
5. So what is UI Redressing/Clickjacking ??
“ … is a malicious technique of tricking a Web user into
clicking on something different from what the user
perceives they are clicking on, thus potentially revealing
confidential information or taking control of their computer
while clicking on seemingly innocuous web pages ”
6. UI Redress attack a.k.a Clickjacking
The term "clickjacking" was coined by Jeremiah
Grossman and Robert 'RSnake' Hansen in 2008.
It is seen as a type of 'Confused Deputy' attack
against the browser ….....
7. Now you are confused ….......
arent you ??
Lets watch a video …....
8. Aaiilaa ... its NOT what it looks
like !!!
Pic taken from : http://detower.com/id12.html
9. In a nut-shell
Pic from :http://www.protecht.ca/blog/clickjacking-niagara
10. So what do we need to redress the UI
Iframes : Used to embed one website inside another.
Syntax : <iframe src=”null.co.in” ></iframe>
Opacity : Used to change the transparency of html
elements.
Stacking Order : Using the 'z-index' property we can
stack the HTML elements on top of one another.
16. Frame Busters
“Frame buster / Framekiller is a piece of JavaScript code
that prevents a Web page from being displayed within a
frame.”
17. Basic Frame Busting code.
<script >
if
{
( top . l o c a t i o n != l o c a t i o n )
top . l o c a t i o n = s e l f . l o c a t i o n ;
}
</script>
19. Some common frame busters ..
Credits :
Busting Frame Busting:
a Study of Clickjacking Vulnerabilities
on Popular Sites.
By -Gustav Rydstedt, Elie Bursztein,
Dan Boneh Collin Jackson
20. Q: So are we safe from a UI Redress Attack ?
A: NO !!!
And here comes “Double Framing Attack”.
22. [eg 1/1] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.
By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
23. [eg 1/2] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.
By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
24. [eg 2/1] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.
By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
25. [eg 2/2] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.
By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
26. [eg 3/1] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.
By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
27. [eg 3/2] Frame Busters gone wrong
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.
By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
28. So do Javascripts solve this issue ?
What if I hire
this guy to write a frame
buster for me
Am I safe ??
29. The best FrameBuster so far..
<script>
if (self == top)
{
document.documentElement.style.visibility='visible';
}
else
{
top.location = self.location;
}
</script>
Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites.
By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson
30. Other ways of busting frame busters.
● IE7 var location = “clobbered”
<script> var location = "clobbered";
</script>
<iframe src="http://www.victim.com">
</iframe>
● [Demo] Google Chrome “sandbox”
● [Demo] window.onbeforeunload()
33. Prevention techniques that will
always work
“ X-Frame-Options ”
*Just for the record we are still talking about Clickjacking
34. What are X-Frame-Options ?
“The X-Frame-Options HTTP response header
can be used to indicate whether or not a browser
should be allowed to render a page in a <frame>
or <iframe>.
Sites can use this to avoid clickjacking attacks, by
ensuring that their content is not embedded into
other sites.”
–- MDN
35. Using X-Frame-Options
There are three possible values for X-Frame-Options:
DENY
The page cannot be displayed in a frame, regardless of the
site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same
origin as the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the specified
origin.
--MDN
38. THANKS !!!!!
Remember …... Clickjacking is
LAME
LAMER
than
39. References
●[White Paper] Busting frame busting: a study of clickjacking vulnerabilities at
popular sites [BIBTEX] by Gustav Rydstedt, Elie Bursztein, Dan Boneh, and
Collin Jackson
● https://www.owasp.org/index.php/Clickjacking
● http://en.wikipedia.org/wiki/Clickjacking
● http://en.wikipedia.org/wiki/Framekiller
● http://andlabs.org/
● http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html