New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.

Slides:



Advertisements
Similar presentations
HTML Basics Customizing your site using the basics of HTML.
Advertisements

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
Ideas to Layout Beginning web layout using Cascading Style Sheets (CSS). Basic ideas, practices, tools and resources for designing a tableless web site.
HTTP Request/Response Process 1.Enter URL ( in your browser’s address bar. 2.Your browser uses DNS to look up IP address of server.com.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
HTML 5. What is HTML5? HTML5 will be the new standard for HTML, XHTML, and the HTML DOM. The previous version of HTML came in The web has changed.
EECS 354 Network Security Cross Site Scripting (XSS)
Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.
Lesson 4: Web Browsing.
(draft-gondrom-frame-options-01) David Ross, Tobias Gondrom July 2011 Frame-Options 1.
HTML 5 Tutorial Chapter 1 Introduction. What is HTML5? HTML5 will be the new standard for HTML, XHTML, and the HTML DOM. The previous version of HTML.
Lecture 18. HTML5 and JavaScript Instructor: Jie Yang Department of Computer Science University of Massachusetts Lowell Exploring the Internet,
Chapter 14 Introduction to HTML
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Audio and Video on the Web Sec 5-12 Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.
Understanding SharePoint 2013 Add-In Security Vulnerabilities
HTML5. What is HTML5? HTML5 will be the new standard for HTML. HTML5 is the next generation of HTML. HTML5 is still a work in progress. However, the major.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
HTML Essentials Frames and Frame Tags. Introduction A frame used to be an effective design tool Utilized space effectively by subdividing screen One idea:
Web Site development By: Cesar Torres THE WIX. What is WIX? Wix.com is a website that provides an easy-to-use online platform where you can create and.
Phish your victims in 5 quick steps. Phish yourself today In less than 5 minutes What is Phish5? Phish5 is a Security Awareness service With Phish5, a.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Build a Free Website1 Build A Website For Free 2 ND Edition By Mark Bell.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
SCRIPT LESS ATTACKS STEALING THE PIE WITHOUT TOUCHING THE SILL.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
Programming in HTML.  Programming Language  Used to design/create web pages  Hyper Text Markup Language  Markup Language  Series of Markup tags 
Patroklos Patroklou George Antoniou Constantinos Kyprianou.
INTERNET. BROADBAND The amount of information a connection is capable of carrying. Measured in bits per second.
Objective Understand concepts used to web-based digital media. Course Weight : 5%
Cross Site Integration “mashups” cross site scripting.
Host and Application Security Lesson 20: How the Web Does not Work.
1 HTML Frames
Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)
Web Applications Testing By Jamie Rougvie Supported by.
COP 3813 Intro to Internet Computing Prof. Roy Levow Lecture 1.
Chapter 16 The World Wide Web. FIGURE 16.0.F01: A very, very simple Web page. Courtesy of Dr. Richard Smith.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Browser Wars (Click on the logo to see the performance)
WILLY’S STRAWBERRY FACTORY Website Proposal. WEBSITE CONTENT Photo galleries of the factory Directions via Google Maps embedded on the website Pricing.
Safe browsing - is an ad-blocker extension enough? AIMILIOS TSOUVELEKAKIS IT-DI-CSO IT LIGHTNING TALK – 12/
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.
When Good Standards Go Bad IETF 83 | March 25, 2012 Chris Weber, Casaba Security.
 AJAX technology  Rich User Experience  Characteristics  Real live examples  JavaScript and AJAX  Web application workflow model – synchronous vs.
Adapted from  2004 Prentice Hall, Inc. All rights reserved. Clickjacking.
Jacking Drishti Wali Prashant Kumar. UI Redress Attack  Clickjacking also known as "UI redress attack or User Interface redress attack", is a malicious.
+ CIW LESSON 4 Web Browsers. + Basic Functions of Web Browsers Provide a way for users to access and navigate Web pages Display Web pages properly Provide.
ColdFusion: Code Security Best Practices Presented at CCFUG Mar 2016 By Denard Springle.
Web Page Design The Basics. The Web Page A document (file) created using the HTML scripting language. A document (file) created using the HTML scripting.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
How to Use Safe Money in Kaspersky? Help Desk Number.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Lesson 4: Web Browsing.
HTML 5 Tutorial Chapter 1 Introduction.
browser search engine web page
Riding Someone Else’s Wave with CSRF
Clickjacking.
Lesson 4: Web Browsing.
Web Programming and Design
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow

What is ClickJacking? “The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants.” Ehab Ashary 12/8/2010 2

Why Should I care? It is transparent Simple to implement Difficult to stop No one has yet come up with an effective solution SQL Injection 1,440,000 Google Results ~ 12 year old Cross-Site Scripting xss 1,150,000 Google Results ~ 14 year old ClickJacking 265,000 Google Results ~ 2 year old Ehab Ashary 12/8/2010 3

How? It is all about iFrame. Any site can frame any other site HTML attributes:  Style, layouting HTML element  Opacity defining the visibility percentage of the iFrame o1.0 complete visible o0.0 complete invisible Ehab Ashary 12/8/2010 4

Facebook, Like or Unlike Ehab Ashary 12/8/2010 5

Facebook, Like or Unlike Ehab Ashary 12/8/2010 6

Facebook, Like or Unlike Ehab Ashary 12/8/2010 7

Facebook, Like or Unlike how_faces=false&width=50&action=like&colo rscheme=light&height=21 Ehab Ashary 12/8/2010 8

Mitigation Techniques HTTP Response Header: X-Frame-Option  Internet Explorer 8+, Opera 10.5+, Safari 4+, Chrome 4  Deny, prevents the page from being rendered if it’s within a frame  SameOrigin, prevents the page from rendering if it’s within a frame from another top-level domain Header append X-FRAME-OPTIONS "SAMEORIGIN" Header append X-FRAME-OPTIONS "DENY" Frame Busting Script  Used to determine if site is being rendered in a frame  Can be defeated If (top.location.hostname != self.location.hostname) top.location.href = self.location.href Ehab Ashary 12/8/2010 9

Mitigation Techniques Use Non-graphical Web browser, Lynx Install NoScript Firefox plug-in, which blocks embedded content from untreated domains Trust no one on the Internet Ehab Ashary 12/8/

References New Insights into Clickjacking OWASP AppSec Research Next Generation Clickjacking.New attacks against framed web pages -Black Hat Europe, 14thApril Ehab Ashary 12/8/

Questions? Ehab Ashary 12/8/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.