I haz your mouse clicks and key strokes

17
I haz your mouse clicks & key strokes Akash Mahajan @ MetaRefresh 2012

TAGS:

description

This technically light talk+demo will show you how and what are User Interface Redressing Attacks. Web Applications using HTML5 + JavaScript + CSS + Modern Browsers are vulnerable to attacks such as Clickjacking, Strokejacking, Cursor Tracking, Unxploitable XSS and Facebook Like attacks. TL;DR Cool demo and simple to understand explaination of ClickJacking

Transcript of I haz your mouse clicks and key strokes

Page 1: I haz your mouse clicks and key strokes

I haz your mouse clicks & key strokes

Akash Mahajan @ MetaRefresh 2012

Page 2: I haz your mouse clicks and key strokes

click · jack · ing |klɪk ˈdʒækɪŋ| verb

1. User Interface redress attack, UI redress attack, UI Redressing

2. is when an attacker uses transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is hijacking clicks and/or keystrokes

Page 3: I haz your mouse clicks and key strokes
Page 4: I haz your mouse clicks and key strokes
Page 5: I haz your mouse clicks and key strokes
Page 6: I haz your mouse clicks and key strokes
Page 7: I haz your mouse clicks and key strokes
Page 8: I haz your mouse clicks and key strokes

How to like anything on Facebook/Internet

Page 9: I haz your mouse clicks and key strokes

Flash Settings Player : Because SWF files can be iframed!

Page 10: I haz your mouse clicks and key strokes

Twitter Don’t Click

Attack

Page 11: I haz your mouse clicks and key strokes

REAL

FAKE

FAKE

REAL

Page 12: I haz your mouse clicks and key strokes

Mitigations

• Frame Bursting–Why it fails

• X Frames Header

Page 13: I haz your mouse clicks and key strokes

Frame Bursting / Frame Killers

i f ( t o p . l o c a t i o n != l o c a t i o n )t o p . l o c a t i o n = s e l f . l o c a t i o n ;

Page 14: I haz your mouse clicks and key strokes

Best JavaScript code for Frame Bursting

<s t y l e >html f v i s i b i l i t y : h i d d e n g</ s t y l e ><s c r i p t >i f ( s e l f == t o p ) fdocument . documentElement . s t y l e . v i s i b i l i t y =’ v i s i b l e ’ ;g e l s e ft o p . l o c a t i o n = s e l f . l o c a t i o n ;g</ s c r i p t >

Page 15: I haz your mouse clicks and key strokes

X-Frame-Options

• Used to prevent Clickjacking

• Doesn’t allow page to be rendered in a frame

• DENY : Don’t render at all if inside a frame, SAMEORIGIN : Only if being served from the origin

• IE8+, FF4+, Chrome5+

Page 16: I haz your mouse clicks and key strokes

Akash MahajanThat Web Application Security Guy

http://akashm.com | @makash [email protected] | 9980527182

http://akashm.com/
mailto:[email protected]
Page 17: I haz your mouse clicks and key strokes

References• Keyboard Cat CC NC SA

http://www.flickr.com/photos/atomicshark/144630706/sizes/o/in/photostream/• I haz your mouse clicks and key strokes http://cheezburger.com/6135914240• Just One question http://www.quickmeme.com/meme/3ow548/• Slides 6 and 7 from https://

www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for-shells_PDF-version.pdf

• http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf• (NoScript image source: Andrew Mason's Flickr photostream).• http://erickerr.com/like-clickjacking• http://arnab.org/blog/reputation-misrepresentation• http://erickerr.com/misc/like-clickjacking.js• http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/• http://www.mniemietz.de/demo/cursorjacking/cursorjacking.html

https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for-shells_PDF-version.pdf
https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for-shells_PDF-version.pdf
https://www.owasp.org/images/3/31/OWASP_NZ_SEP2011_Clickjacking-for-shells_PDF-version.pdf
http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf
http://crypto.stanford.edu/~dabo/pubs/papers/framebust.pdf
http://www.flickr.com/photos/a_mason/3274031673/
http://www.flickr.com/photos/a_mason/3274031673/
http://erickerr.com/like-clickjacking
http://erickerr.com/like-clickjacking
http://arnab.org/blog/reputation-misrepresentation
http://arnab.org/blog/reputation-misrepresentation
http://erickerr.com/misc/like-clickjacking.js
http://erickerr.com/misc/like-clickjacking.js
http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/
http://koto.github.com/blog-kotowicz-net-examples/cursorjacking/

Haz comppt

Haz comppt

Haz Mat Awareness.Powerpoint

Haz Mat Awareness.Powerpoint

Career Clicks

Career Clicks

HaZ, April 1982

HaZ, April 1982

Basic Strokes

Basic Strokes

BC24 Haz Register.xlsx

BC24 Haz Register.xlsx

Winning Strokes

Winning Strokes

Haz wastetraining

Haz wastetraining

Haz Eval RiskAss

Haz Eval RiskAss

Dissecting Ghost Clicks: Ad Fraud Via Misdirected Human Clicks

Dissecting Ghost Clicks: Ad Fraud Via Misdirected Human Clicks

Haz Catalogue

Haz Catalogue

HAZ of Elec

HAZ of Elec

Haz-Mat Training Haz-Mat Smart Strip Distributed by Steve Haston 2012.

Haz-Mat Training Haz-Mat Smart Strip Distributed by Steve Haston 2012.

Evaluation of the Performance Characteristics of MERLIN ......Total Strokes First Strokes Subsequent Strokes Strokes Attaching to Ground, Water, or Low Structures Strokes Attaching

Evaluation of the Performance Characteristics of MERLIN ......Total Strokes First Strokes Subsequent Strokes Strokes Attaching to Ground, Water, or Low Structures Strokes Attaching

· PDF fileBIT Strokes Surface to Bit BIT SURFACE Strokes Bit to Surface +10= FCP Strokes per Step FCP Strokes per Step Initial Circulation Pressure Field Units

· PDF fileBIT Strokes Surface to Bit BIT SURFACE Strokes Bit to Surface +10= FCP Strokes per Step FCP Strokes per Step Initial Circulation Pressure Field Units

Haz Area Terminals

Haz Area Terminals

Survival Strokes

Survival Strokes

Strokes Magazine

Strokes Magazine

HAZ METAL FIXATION

HAZ METAL FIXATION

Haz. Waste containers

Haz. Waste containers