Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 361S Clickjacking Vitaly Shmatikov. slide 2 Reading Assignment u“Next Generation Clickjacking” u“Clickjacking: Attacks and Defenses”

Published byOsborn Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "CS 361S Clickjacking Vitaly Shmatikov. slide 2 Reading Assignment u“Next Generation Clickjacking” u“Clickjacking: Attacks and Defenses”"— Presentation transcript:

1 CS 361S Clickjacking Vitaly Shmatikov

2 slide 2 Reading Assignment u“Next Generation Clickjacking” u“Clickjacking: Attacks and Defenses”

3 uAttacker overlays multiple transparent or opaque frames to trick a user into clicking on a button or link on another page uClicks meant for the visible page are hijacked and routed to another, invisible page Clickjacking (UI Redressing) slide 3 [Hansen and Grossman 2008]

4 Clickjacking in the Wild uGoogle search for “clickjacking” returns 624,000 results… this is not a hypothetical threat! uSummer 2010: Facebook worm superimposes an invisible iframe over the entire page that links back to the victim's Facebook page If victim is logged in, automatically recommends link to new friends as soon as the page is clicked on uMany clickjacking attacks against Twitter Users send out tweets against their will slide 4

5 Clickjacking Meets Spamming slide 5

6 It’s All About iFrame uAny site can frame any other site <iframe src=“http://www.google.com/...”> uHTML attributes Style Opacity defines visibility percentage of the iframe –1.0: completely visible –0.0: completely invisible slide 6

7 Hiding the Target Element  Use CSS opacity property and z-index property to hide target element and make other element float under the target element  Using CSS pointer-events: none property to cover other element over the target element Click z-index: -1 opacity: 0.1pointer-event: none Click slide 7 [“Clickjacking: Attacks and Defenses”]

8 Partial Overlays and Cropping  Overlay other elements onto an iframe using CSS z-index property or Flash Window Mode wmode=direct property uWrap target element in a new iframe and choose CSS position offset properties slide 8 [“Clickjacking: Attacks and Defenses”] z-index: 1 PayPal iframe

9 Drag-and-Drop API uModern browsers support drag-and-drop API uJavaScript can use it to set data being dragged and read it when it’s dropped uNot restricted by the same origin policy: data from one origin can be dragged to a frame of another origin Reason: drag-and-drop can only be initiated by user’s mouse gesture, not by JavaScript on its own slide 9 [“Next Generation Clickjacking”]

10 Abusing Drag-and-Drop API slide 10 [“Next Generation Clickjacking”] Frog. Blender. You know what to do. 1. Bait the user to click and start dragging 2. Invisible iframe with attacker’s text field under mouse cursor, use API to set data being dragged 3. Invisible iframe from another origin with a form field Attack webpage 666666 666666 666666 With two drag-and-drops (simulated scrollbar, etc.), can select and extract arbitrary content from another origin

11 Fake Cursors  Use CSS cursor property and JavaScript to simulate a fake cursor icon on the screen slide 11 [“Clickjacking: Attacks and Defenses”] Real cursor iconFake cursor icon cursor: none

12 Keyboard “Strokejacking” uSimulate an input field getting focus, but actually the keyboard focus is on target element, forcing user to type some unwanted information into target element slide 12 [“Clickjacking: Attacks and Defenses”] Transfer Bank Transfer Bank Account: ________ Amount: ___________ USD Typing Game Type whatever screen shows to you Xfpog95403poigr06=2kfpx [__________________________] Attacker’s page Hidden iframe within attacker’s page 9540 3062

13 Compromising Temporal Integrity uManipulate UI elements after the user has decided to click, but before the actual click occurs slide 13 [“Clickjacking: Attacks and Defenses”] Click

14 Cursor Spoofing slide 14 [“Clickjacking: Attacks and Defenses”]

15 Double-Click Attack uBait the user to perform a double-click, switch focus to a popup window under the cursor right between the two clicks slide 15 [“Clickjacking: Attacks and Defenses”] First click Second click

16 Whack-A-Mole Attack uAsk the user to click as fast as possible, suddently switch Facebook Like button slide 16 [“Clickjacking: Attacks and Defenses”]

17 Solution: Frame Busting uI am a page owner uAll I need to do is make sure that my web page is not loaded in an enclosing frame … Clickjacking: solved! Does not work for FB “Like” buttons and such, but Ok uHow hard can this be? if (top != self) top.location.href = location.href slide 17

18 Frame Busting in the Wild uSurvey by Gustav Rydstedt, Elie Burzstein, Dan Boneh, Collin Jackson Following slides shamelessly jacked from Rydstedt slide 18

19 Conditional Statements if (top != self) if (top.location != self.location) if (top.location != location) if (parent.frames.length > 0) if (window != top) if (window.top !== window.self) if (window.self != window.top) if (parent && parent != window) if (parent && parent.frames && parent.frames.length>0) if((self.parent&& !(self.parent===self))&& (self.parent.frames.length!=0)) If My Frame Is Not On Top … slide 19

20 Counter-Action Statements top.location = self.location top.location.href = document.location.href top.location.href = self.location.href top.location.replace(self.location) top.location.href = window.location.href top.location.replace(document.location) top.location.href = window.location.href top.location.href = "URL" document.write(’’) top.location = location top.location.replace(document.location) top.location.replace(’URL’) top.location.href = document.location top.location.replace(window.location.href) top.location.href = location.href self.parent.location = document.location parent.location.href = self.document.location top.location.href = self.location top.location = window.location top.location.replace(window.location.pathname) slide 20 … Move It To Top

21 What About My Own iFrames? uCheck: is the enclosing frame one of my own? uHow hard can this be? uSurvey of several hundred top websites … … all frame busting code is broken! slide 21

22 Courtesy of Walmart if (top.location != location) { if(document.referer && document.referer.indexOf("walmart.com") == -1) { top.location.replace(document.location.href); } slide 22

23 Error in Referer Checking From http://www.attacker.com/walmart.com.html slide 23

24 Courtesy of if (window.self != window.top && !document.referer.match( /https?:\/\/[^?\/]+\.nytimes\.com\//)) { self.location = top.location; } slide 24

25 Error in Referer Checking From http://www.attacker.com/a.html?b=https://www.nytimes.com/ slide 25

26 Courtesy of if (self != top) { var domain = getDomain(document.referer); var okDomains = /usbank|localhost|usbnet/; var matchDomain = domain.search(okDomains); if (matchDomain == -1) { // frame bust } slide 26

27 Error in Referer Checking From http://usbank.attacker.com/ slide 27

28 Strategic Relationship? Norwegian State House Bank http://www.husbanken.no slide 28

29 Strategic Relationship? Bank of Moscow http://www.rusbank.org slide 29

30 Courtesy of try{ A=!top.location.href } catch(B){} A=A&& !(document.referer.match(/^https?:\/\/[-az09.] *\.google\.(co\.|com\.)? [a-z] +\/imgres/i))&& !(document.referer.match(/^https?:\/\/([^\/]*\.)? (myspace\.com| myspace\.cn| simsidekick\.com| levisawards\.com| digg\.com)\//i)); if(A){ // Frame bust } slide 30

31 Google Images does not frame bust Do Your Trusted Sites Frame Bust? slide 31

32 Many Attacks on Referer Header uOpen redirect referer changer uHTTPS->HTTP redirect changes the header uApparently, hard to get regular expression right uTrust other sites to frame your pages, but what if those trusted sites can be framed themselves? slide 32

33 Typical Frame Busting Code if(top.location != self.location) { parent.location = self.location; } slide 33

34 Who Is Your Daddy Parent? framed1.html framed2.html slide 34 Double framing!!

35 Who Is On Top? If top.location can be changed or disabled, this code is useless if (top.location != self.location) top.location = self.location slide 35

36 Location Clobbering uIE 7 var location=“clobbered”; uSafari window.__defineSetter__("location", function(){}); top.location now undefined slide 36

37 User Can Stop Frame Busting uUser can manually cancel any redirection attempt made by frame busting code uAttacker just needs to ask… window.onbeforeunload = function() { return ”Do you want to leave PayPal?"; } slide 37

38 Ask Nicely slide 38

39 … Or Don’t Even Ask uMost browsers let attacker cancel the relocation programmatically var prevent_bust = 0 window.onbeforeunload = function() {kill_bust++ } setInterval(function() { if (kill_bust > 0) { kill_bust -= 2; window.top.location = 'http://no-content-204.com' } }, 1); slide 39

40 X-Frame-Options uHTTP header sent with the page uTwo possible values: DENY and SAMEORIGIN uDENY: page will not render if framed uSAMEORIGIN: page will only render if top frame has the same origin slide 40

41 Adoption of X-Frame-Options uGood adoption by browsers uPoor adoption by sites uLimitations Per-page policy No whitelisting of origins Proxy problems slide 41

42 Content Security Policy (Firefox 4) uAnother HTTP header: frame-ancestors directive can specify allowed framers uAllows specific restrictions and abilities per site slide 42

43 html { visibility: hidden } if (self == top) { document.documentElement.style.visibility = 'visible'; } else { top.location = self.location; } Best For Now (Still Not Good) slide 43

44 These Sites Do Frame Busting slide 44

45 slide 45 Do These?

46 SiteURLFramebusting Facebookhttp://m.facebook.com/ YES MSNhttp://home.mobile.msn.com/ NO GMailhttp://m.gmail.com NO Baiduhttp://m.baidu.com NO Twitterhttp://mobile.twitter.com NO MegaVideohttp://mobile.megavideo.com/ NO Tube8http://m.tube8.com NO PayPalhttp://mobile.paypal.com NO USBankhttp://mobile.usbank.com NO First Interstate Bankhttp://firstinterstate.mobi NO NewEgghttp://m.newegg.com/ NO MetaCafehttp://m.metacafe.com/ NO RenRenhttp://m.renren.com/ NO MySpacehttp://m.myspace.com NO VKontaktehttp://pda.vkontakte.ru/ NO WellsFargohttps://m.wf.com/ NO NyTimeshttp://m.nytimes.com Redirect E-Zine Articleshttp://m.ezinearticles.com Redirect slide 46 Frame Busting on Mobile Sites

47 Tapjacking uZoom buttons in a transparent iframe so that they cover entire screen uHide or fake URL bar uMake a page that masquerades as a known application to trick user into clicking Read more: http://seclab.stanford.edu/websec/framebusting/ slide 47

Download ppt "CS 361S Clickjacking Vitaly Shmatikov. slide 2 Reading Assignment u“Next Generation Clickjacking” u“Clickjacking: Attacks and Defenses”"

Similar presentations

Gustav Rydstedt, Elie Burzstein, Dan Boneh, Collin Jackson

Gustav Rydstedt, Elie Burzstein, Dan Boneh, Collin Jackson
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
23-Aug-14 HTML/XHTML Forms. 2 What are forms? is just another kind of XHTML/HTML tag Forms are used to create (rather primitive) GUIs on Web pages Usually.

23-Aug-14 HTML/XHTML Forms. 2 What are forms? is just another kind of XHTML/HTML tag Forms are used to create (rather primitive) GUIs on Web pages Usually.
Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012 Clickjacking:

Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012 Clickjacking:
Sriram DRUPAL GCI - 2010. What is a drop down menu? A drop down menu is a menu of options that appears when an item is selected with a mouse. The item.

Sriram DRUPAL GCI What is a drop down menu? A drop down menu is a menu of options that appears when an item is selected with a mouse. The item.
Clickjacking Attacks and Defenses.

Clickjacking Attacks and Defenses.
Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.

Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.
Intermediate Level Course. Text Format The text styles, bold, italics, underlining, superscript and subscript, can be easily added to selected text. Text.

Intermediate Level Course. Text Format The text styles, bold, italics, underlining, superscript and subscript, can be easily added to selected text. Text.
Ch. 6 Web Page Design – Absolute Positioning, Image Maps, and Navigation Bars Mr. Ursone.

Ch. 6 Web Page Design – Absolute Positioning, Image Maps, and Navigation Bars Mr. Ursone.
Clickjacking: Attacks and Defenses Lin-Shung Huang, Alexander Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon University.

Clickjacking: Attacks and Defenses Lin-Shung Huang, Alexander Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon University.
Links and Comments.

Links and Comments.
New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.

New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.
Form Basics CS380 1. Web Data  Most interesting web pages revolve around data  examples: Google, IMDB, Digg, Facebook, YouTube, Rotten Tomatoes  can.

Form Basics CS Web Data  Most interesting web pages revolve around data  examples: Google, IMDB, Digg, Facebook, YouTube, Rotten Tomatoes  can.
Macromedia Dreamweaver 4 Advanced Level Course. Add Rollovers Rollovers or mouseovers are possibly the most popular effects used in designing Web pages.

Macromedia Dreamweaver 4 Advanced Level Course. Add Rollovers Rollovers or mouseovers are possibly the most popular effects used in designing Web pages.
JavaScript, Third Edition

JavaScript, Third Edition
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Similar presentations

Ads by Google