UI Redressing

self.Intro()

Works for Payatu Technologies (www.payatu.com) as an

AppSec Consultant.

Author of 'game|over' – A Linux distro built for learning web app

security.

Member of null – The Open Security Community www.null.co.in

Moderating the #null #Pune Chapter ;)

Very #Annoying too … so u might wanna shoot me in the head

<NOT_Certified> C|EH , AFCEH .. or any other certification </NOT_Certified>

Agenda

Introduction to UI Redressing/Clickjacking.

Elements of basic clickjacking.

Advanced Clickjacking techniques.

Some cool demos :)

Prevention techniques that Suck !!

Prevention techniques that dont ….

Running away as fast as I can before somebody shoots me in the

Already Bored ???

So what is UI Redressing/Clickjacking ??

“ … is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages ”

UI Redress attack a.k.a Clickjacking

The term "clickjacking" was coined by Jeremiah Grossman and Robert 'RSnake' Hansen in 2008.

It is seen as a type of 'Confused Deputy' attack against the browser ….....

Now you are confused …....... arent you ??

Lets watch a video …....

Aaiilaa ... its NOT what it looks like !!!

Pic taken from : http://detower.com/id12.html

In a nut-shell

Pic from :http://www.protecht.ca/blog/clickjacking-niagara

So what do we need to redress the UI

Iframes : Used to embed one website inside another.Syntax : <iframe src=”null.co.in” ></iframe>

Opacity : Used to change the transparency of html elements.

Stacking Order : Using the 'z-index' property we can stack the HTML elements on top of one another.

Basic Clickjacking

[ Demo ]: Basic Clickjacking.

So what about text fields ?

Q: Is it possible to make a user enter text ??

A: YES !!!

Q: But how ??

Muhahahahahahaha...!!!

Advanced Clickjacking Techniques

[ Demo ]: Advanced Clickjacking attack.

[Demo]: Content Extraction using Drag and drop

So we can hijack clicks as well as text …..

Thats practically everything a user does ….

So how do we prevent UI Redress Attacks ??

Prevention techniques that don't always work

*Yes I am still talking about Clickjacking

Frame Busters

“Frame buster / Framekiller is a piece of JavaScript code that prevents a Web page from being displayed within a frame.”

Basic Frame Busting code.

Basic frame busters

[Demo:] Basic Frame Busters

Some common frame busters ..

Credits : Busting Frame Busting:a Study of Clickjacking Vulnerabilities on Popular Sites.

By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson

Q: So are we safe from a UI Redress Attack ?A: NO !!!

And here comes “Double Framing Attack”.

Busting Frame Busters

[Demo] : Double Framing Attack

[eg 1/1] Frame Busters gone wrong

Credits : Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites. By -Gustav Rydstedt, Elie Bursztein, Dan Boneh Collin Jackson

So do Javascripts solve this issue ?

What if I hire this guy to write a frame buster for me

Am I safe ??

The best FrameBuster so far..

if (self == top){ document.documentElement.style.visibility='visible';}else{ top.location = self.location;}</script>

Other ways of busting frame busters.

● IE7 var location = “clobbered” <script> var location = "clobbered";

</script> <iframe src="http://www.victim.com">

</iframe>

● [Demo] Google Chrome “sandbox”

● [Demo] window.onbeforeunload()

Prevention techniques that work

● Ask for a users password.

Prevention techniques that work

● CAPTCHA

Prevention techniques that will always work

“ X-Frame-Options ”

*Just for the record we are still talking about Clickjacking

What are X-Frame-Options ?

“The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.”

–- MDN

Using X-Frame-Options

There are three possible values for X-Frame-Options:

DENY The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.

ALLOW-FROM uri The page can only be displayed in a frame on the specified origin.

[Demo] : Setting X-Frame-Options in PHP

Any Questions ??

Remember …... Clickjacking is LAME

LAMER than

THANKS !!!!!

References

● [White Paper] Busting frame busting: a study of clickjacking vulnerabilities at popular sites [BIBTEX] by Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson

● https://www.owasp.org/index.php/Clickjacking● http://en.wikipedia.org/wiki/Clickjacking● http://en.wikipedia.org/wiki/Framekiller● http://andlabs.org/● http://blog.skepticfx.com/2011/09/facebook-graph-api-access-token.html

UI Redressing

Education

UI Redressing: Attacks and Countermeasures Revisitedindex-of.co.uk/Clickjacking/uiRedressing.pdf · “clickjacking” and it is also known under the previously used term “UI redressing”

UI Redressing: Attacks and Countermeasures Revisited

Clickjacking und UI-Redressing – Vom Klick-Betrug zum ...€¦6 2 Grundlagen Zur Veranschaulichung ist ein TCP-Stream [93] mit Request- bzw-Reponse-Nachrichten in den Codebeispielen

Redressing the gender balance

Redressing the balance: the status and valuation of ... · Redressing the balance: the status and valuation of teaching in academic careers in the biomedical sciences . ... science,

RedRessing the balance2 REDRESSING THE BALANCE How management accountants drive sustainable corporate strategies It is becoming more and more important for organisations to consider

More attacks on Clients: Clickjacking/UI redressing, CSRF · 2015-04-07 · More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7 2 7

UI-Redressing Attacks - The Process & Exploitation

Redressing racial inequities through water law in South Africa

PUBLIC AND PRIVATE JUSTICE: REDRESSING HEALTH CARE …

Krzysztof Kotowicz Securing OWASP krzysztof.kotowicz@securing · OWASP About me •security researcher •HTML 5 •UI redressing / clickjacking •xss-track, squid-imposter,

REDRESSING THE ASYMMETRIES OF INTERNATIONAL INVESTMENT …

Owning Your Home Network: Router Security Revisited · REQUEST FORGERY (CSRF), AND UI REDRESSING This section provides the basic technical background on the different attack types

Parliaments and Human Rights: Redressing the democratic deficit

Closing the Achievement Gap through Early Social Emotional ...ph2018.isilive.ca/files/256/Redressing the... · Redressing the Achievement Gap through Early Social Emotional Learning

Recommendations for Redressing Historical Wrongs Against ...najc.ca/wp/wp-content/uploads/2019/11/NAJC_BC... · I am honoured to submit Redressing Historical Wrongs Against Japanese

More attacks on clients: Click-jacking/UI redressing, CSRF

Clickjacking und UI-Redressing...Einleitung Angri e Gegenmaˇnahmen Zusammenfassung und Ausblick Clickjacking und UI-Redressing Marcus Niemietz marcus.niemietz@rub.de Ruhr-Universit

Software and Web Security 2 - Institute for Computing and ... · Clickjacking and UI redressing • These attacks try to abuse the trust that the user has in a web page – in what

UI-Redressing-Angriffe auf Android - OWASP · CONFidence, SIGINT, PHDays, ... Twitter: @mniemietz . OWASP 3 Überblick Einführung Angriffe und Gegenmaßnahmen UI-Redressing Tapjacking