06 clickjacking.pptx
-
Upload
rap-payne -
Category
Technology
-
view
62 -
download
0
description
Transcript of 06 clickjacking.pptx
Clickjacking
Problem and Protection
Want to know how to get people to 'Like' you?
Clickjacking
o Putting an evil invisible link on top of a legit visible link, then tricking a surfer into visiting their bogus page
Clickjacking is like CSRF
o Both want to trick the victim into requesting something that the attacker wants
o But Clickjacking allows them to CSRF a page that actually requires a manual click
How attackers do it
1. Create a page 2. Load an iframe with
evil content 3. Set the iframe’s
opacity to zero 4. Set it’s z-index to -1
or -2 5. Trick us into visiting
it
How we protect ourselves
o Frame-breaking scripts o Restricted zones o X-Frame-Options
Frame-breaking: Clobbering top.location
o Make your pages check to see if they are in a frame
o If so, they can ‘re-parent’ to the top-level window • We can do all this in JavaScript
<script type="text/javascript"> if (top != self) top.location = location </script>
Breaking frame-breaking: Double-framing
o It is illegal to set a parent's parent location o So if you put the iframe inside another
iframe, the frame-breaking fails • In EvilPage1.html:
<iframe src="EvilPage2.html">
• In EvilPage2.html: <iframe src="http://victimsite.com">
o Our framebreaking runs inside EvilPage2. But top is the parent of EvilPage1
o Oh no!
Breaking frame-breaking: set location
o Frame-breaking requires setting 'location' o What if the attacker corrupts 'location'? <script> var location="All your frames are belong to us"; </script> <iframe src="http://victimsite.com" />
o The victim site then sets the attacker's location variable instead of the browser's
Breaking frame-breaking: onBeforeUnload
o After the frame-breaker forces the victim site to leave the frame, it fires onBeforeUnload • onBeforeUnload allows cancellation!
<script> window.onbeforeunload = function(){ return "Something the user will say no to."; } </script> <iframe src="http://victimsite.com">
• If the user answers no or cancels, it stops the running of JavaScript – including the frame-breaker
Breaking frame-breaking: 204 flushing
o If a site returns a 204-No Content, then the browser will flush the request pipeline (which includes the frame-breaking JavaScript)
var kount=0; window.onbeforeunload = function() { kount++; setInterval( function() { if(kount > 0){ kount=2; window.top.location = 'http://evilsite.com/204'; } }, 1); } <iframe src="http://www.victim.com">
• This floods the browser with 204s
Breaking frame-breaking: Using XSS filters
o Certain browsers honor JavaScript filters: http://www.tic.com?v=<script>doBadThings()
o Basically removes that JavaScript from the served page
o Attackers can remove your frame-breaker: <iframe src=http://victim.com?v=<script>if(top>
Restricted Zones
o You can put your whole page in its own iframe and make it restricted
<iframe src="http://victimsite.com" security="restricted"> </iframe>
o Does not rely on JavaScript, so it can't be broken
X-Frame-Options will prevent framing
o Put in the http header • Will never serve to iFrame requests X-Frame-Options: deny • Will only serve to iFrames in this site X-Frame-Options: sameorigin
• Will only serve to iFrames from approved sites X-Frame-Options: allow-url
X-Frame-Options goes in the HTTP header
• To do this in php: header('X-Frame-Options: deny');
• To do this in .Net: Response.AddHeader("X-Frame-Options","deny"); • To do this in Java: HttpServletResponse r = (HttpServletResponse)response; chain.doFilter(request, response); r.addHeader("X-FRAME-OPTIONS", "deny");
Unfortunately, X-Frame-Options isn't perfect either.
o We're still waiting on 100% adoption in all the browsers.
o Firefox 18+ o IE9+ o Chrome (Does not support allow-from) o Opera (Does not support allow-from) o Safari 6.0.4+ (But not allow-from)
Summary
o Attackers can trick victim browsers into clicking on things in victim websites by putting that website in a transparent iframe
o We harden our sites through frame-breaking, restricted zones and/or X-Frame-Options
o Frame-breaking can be broken by aborting the JavaScript somehow
o Restricted zones and X-Frame-Options are browser-dependent
o There is no perfect solution. :-(
Further study
o OWASP's Clickjacking page: o https://www.owasp.org/index.php/Clickjacking
o Protecting Frame-breaking: • https://www.codemagi.com/blog/post/194