Clickjacking

Problem and Protection

Want to know how to get people to 'Like' you?

Clickjacking

o  Putting an evil invisible link on top of a legit visible link, then tricking a surfer into visiting their bogus page

Clickjacking is like CSRF

o  Both want to trick the victim into requesting something that the attacker wants

o  But Clickjacking allows them to CSRF a page that actually requires a manual click

How attackers do it

1.  Create a page 2.  Load an iframe with

evil content 3.  Set the iframe’s

opacity to zero 4.  Set it’s z-index to -1

or -2 5.  Trick us into visiting

it

How we protect ourselves

o Frame-breaking scripts o Restricted zones o X-Frame-Options

Frame-breaking: Clobbering top.location

o  Make your pages check to see if they are in a frame

o  If so, they can ‘re-parent’ to the top-level window •  We can do all this in JavaScript

<script type="text/javascript"> if (top != self) top.location = location </script>

Breaking frame-breaking: Double-framing

o  It is illegal to set a parent's parent location o  So if you put the iframe inside another

iframe, the frame-breaking fails •  In EvilPage1.html:

<iframe src="EvilPage2.html">

•  In EvilPage2.html: <iframe src="http://victimsite.com">

o  Our framebreaking runs inside EvilPage2. But top is the parent of EvilPage1

o  Oh no!

Breaking frame-breaking: set location

o  Frame-breaking requires setting 'location' o  What if the attacker corrupts 'location'? <script> var location="All your frames are belong to us"; </script> <iframe src="http://victimsite.com" />

o  The victim site then sets the attacker's location variable instead of the browser's

Breaking frame-breaking: onBeforeUnload

o  After the frame-breaker forces the victim site to leave the frame, it fires onBeforeUnload •  onBeforeUnload allows cancellation!

<script> window.onbeforeunload = function(){ return "Something the user will say no to."; } </script> <iframe src="http://victimsite.com">

•  If the user answers no or cancels, it stops the running of JavaScript – including the frame-breaker

Breaking frame-breaking: 204 flushing

o  If a site returns a 204-No Content, then the browser will flush the request pipeline (which includes the frame-breaking JavaScript)

var kount=0; window.onbeforeunload = function() { kount++; setInterval( function() { if(kount > 0){ kount=2; window.top.location = 'http://evilsite.com/204'; } }, 1); } <iframe src="http://www.victim.com">

•  This floods the browser with 204s

Breaking frame-breaking: Using XSS filters

o  Certain browsers honor JavaScript filters: http://www.tic.com?v=<script>doBadThings()

o  Basically removes that JavaScript from the served page

o  Attackers can remove your frame-breaker: <iframe src=http://victim.com?v=<script>if(top>

Restricted Zones

o  You can put your whole page in its own iframe and make it restricted

<iframe src="http://victimsite.com" security="restricted"> </iframe>

o  Does not rely on JavaScript, so it can't be broken

X-Frame-Options will prevent framing

o  Put in the http header •  Will never serve to iFrame requests X-Frame-Options: deny •  Will only serve to iFrames in this site X-Frame-Options: sameorigin

•  Will only serve to iFrames from approved sites X-Frame-Options: allow-url

X-Frame-Options goes in the HTTP header

•  To do this in php: header('X-Frame-Options: deny');

•  To do this in .Net: Response.AddHeader("X-Frame-Options","deny"); •  To do this in Java: HttpServletResponse r = (HttpServletResponse)response; chain.doFilter(request, response); r.addHeader("X-FRAME-OPTIONS", "deny");

Unfortunately, X-Frame-Options isn't perfect either.

o  We're still waiting on 100% adoption in all the browsers.

o  Firefox 18+ o  IE9+ o  Chrome (Does not support allow-from) o  Opera (Does not support allow-from) o  Safari 6.0.4+ (But not allow-from)

Summary

o  Attackers can trick victim browsers into clicking on things in victim websites by putting that website in a transparent iframe

o  We harden our sites through frame-breaking, restricted zones and/or X-Frame-Options

o  Frame-breaking can be broken by aborting the JavaScript somehow

o  Restricted zones and X-Frame-Options are browser-dependent

o  There is no perfect solution. :-(

Further study

o  OWASP's Clickjacking page: o  https://www.owasp.org/index.php/Clickjacking

o  Protecting Frame-breaking: •  https://www.codemagi.com/blog/post/194