Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
CSE484/CSEM584ComputerSecurity:
Clickjacking
ThankstoFranzi Roesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,Vitaly Shmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
Lab2
• Questions– WhatistheflowoftheXSSattacks?– HowkindofinformationdoyouneedleakedforSQLinjectionattacks?
– Others?
DirectingUserBehavior
• Demo– http://lcamtuf.coredump.cx/ffgeo2/
ThefollowingslidesoriginallymadebyVitalyShmatikov
hNp://www.cs.utexas.edu/~shmat/courses/cs361s/clickjack.ppt
• Attackeroverlaysmultipletransparentoropaqueframestotrickauserintoclickingonabuttonorlinkonanotherpage
• Clicksmeantforthevisiblepagearehijackedandroutedtoanother,invisiblepage
Clickjacking(UIRedressing)
slide 5
[Hansen and Grossman 2008]
ClickjackingintheWild
• Googlesearchfor“clickjacking”returns624,000results…thisisnotahypotheticalthreat!
• Summer2010:Facebookwormsuperimposesaninvisibleiframeovertheentirepagethatlinksbacktothevictim'sFacebookpage– Ifvictimisloggedin,automaticallyrecommendslinktonewfriendsassoonasthepageisclickedon
• ManyclickjackingattacksagainstTwitter– Userssendouttweetsagainsttheirwill
slide 6
It’sAllAboutiFrame
• Anysitecanframeanyothersite<iframesrc=“http://www.google.com/...”>
</iframe>• HTMLattributes
– Style– Opacity definesvisibilitypercentageoftheiframe
• 1.0:completelyvisible• 0.0:completelyinvisible
slide 7
HidingtheTargetElement
• UseCSSopacity propertyandz-indexpropertytohidetargetelementandmakeotherelementfloatunder thetargetelement
• UsingCSSpointer-events: nonepropertytocoverotherelementover thetargetelement
Click
z-index: -1
opacity: 0.1 pointer-event: none
Click
slide 8
[“Clickjacking: Attacks and Defenses”]
Whatothertypesofuser-manipulativeattacksmightbepossibleusingpropertiesofcss?
PartialOverlaysandCropping
• OverlayotherelementsontoaniframeusingCSSz-index propertyorFlashWindowModewmode=direct property
• WraptargetelementinanewiframeandchooseCSSpositionoffsetproperties
slide 10
[“Clickjacking: Attacks and Defenses”]
z-index: 1 PayPal iframe PayPal iframe
Drag-and-DropAPI
• Modernbrowserssupportdrag-and-dropAPI• JavaScriptcanuseittosetdatabeingdraggedandreaditwhenit’sdropped
• Not restrictedbythesameoriginpolicy:datafromoneorigincanbedraggedtoaframeofanotherorigin– Reason:drag-and-dropcanonlybeinitiatedbyuser’smousegesture,notbyJavaScriptonitsown
slide 11
[“Next Generation Clickjacking”]
AbusingDrag-and-DropAPI
slide 12
[“Next Generation Clickjacking”]
Frog. Blender. You know what to do.
1. Bait the user to click and start dragging2. Invisible iframe with attacker’s
text field under mouse cursor,use API to set data being dragged
3. Invisible iframe from another origin with a form field
Attack webpage
666666666666666666
With two drag-and-drops(simulated scrollbar, etc.),can select and extractarbitrary content fromanother origin
FakeCursors
• UseCSScursor propertyandJavaScripttosimulateafakecursoricononthescreen
slide 13
[“Clickjacking: Attacks and Defenses”]
Real cursor icon Fake cursor icon
cursor: none
CursorSpoofing
slide 14
[“Clickjacking: Attacks and Defenses”]
Keyboard“Strokejacking”
• Simulateaninputfieldgettingfocus,butactuallythekeyboardfocusisontargetelement,forcingusertotypesomeunwantedinformationintotargetelement
slide 15
[“Clickjacking: Attacks and Defenses”]
Transfer
Bank TransferBank Account: ________Amount: ___________ USD
Typing GameType whatever screen shows to you
Xfpog95403poigr06=2kfpx
[__________________________]
Attacker’s page Hidden iframe within attacker’s page
95403062
Double-ClickAttack
• Baittheusertoperformadouble-click,switchfocustoapopupwindowunderthecursorrightbetweenthetwoclicks
slide 16
[“Clickjacking: Attacks and Defenses”]
First click
Second click
Whack-A-MoleAttack
• Asktheusertoclickasfastaspossible,suddentlyswitchFacebookLikebutton
slide 17
[“Clickjacking: Attacks and Defenses”]
SOLUTIONS?
Solution:FrameBusting
• Iamapageowner• AllIneedtodoismakesurethatmywebpageisnotloadedinanenclosingframe…Clickjacking:solved!– DoesnotworkforFB“Like”buttonsandsuch,butOk
• Howhardcanthisbe?if(top!=self)top.location.href =location.href
slide 19
FrameBustingintheWild
◆SurveybyGustavRydstedt,Elie Burzstein,DanBoneh,CollinJackson
FollowingslidesshamelesslyjackedfromRydstedt
slide 20
Conditional Statementsif (top != self)
if (top.location != self.location)if (top.location != location)if (parent.frames.length > 0)
if (window != top)if (window.top !== window.self)if (window.self != window.top)
if (parent && parent != window)if (parent &&
parent.frames && parent.frames.length>0)
if((self.parent&&!(self.parent===self))&&
(self.parent.frames.length!=0))
IfMyFrameIsNotOnTop…
slide 21
Counter-Action Statements
top.location = self.location
top.location.href = document.location.href
top.location.href = self.location.href
top.location.replace(self.location)
top.location.href = window.location.href
top.location.replace(document.location)
top.location.href = window.location.href
top.location.href = "URL"
document.write(’’)
top.location = location
top.location.replace(document.location)
top.location.replace(’URL’)
top.location.href = document.location
top.location.replace(window.location.href)
top.location.href = location.href
self.parent.location = document.location
parent.location.href = self.document.location
top.location.href = self.location
top.location = window.location
top.location.replace(window.location.pathname) slide 22
…MoveItToTop
WhatAboutMyOwniFrames?
• Check:istheenclosingframeoneofmyown?• Howhardcanthisbe?• Surveyofseveralhundredtopwebsites……all framebustingcodeisbroken!
slide 23
CourtesyofWalmartif(top.location!=location){if(document.referer&&document.referer.indexOf("walmart.com")==-1){top.location.replace(document.location.href);}
}
slide 24
ErrorinRefererChecking
Fromhttp://www.attacker.com/walmart.com.html<iframesrc=“http://www.walmart.com”>
slide 25
Courtesyof
if(window.self!=window.top&&!document.referer.match(/https?:\/\/[^?\/]+\.nytimes\.com\//))
{self.location=top.location;
}
slide 26
ErrorinRefererChecking
Fromhttp://www.attacker.com/a.html?b=https://www.nytimes.com/
<iframesrc=“http://www.nytimes.com”>
slide 27
Courtesyof
if(self!=top){vardomain=getDomain(document.referer);varokDomains=/usbank|localhost|usbnet/;varmatchDomain=domain.search(okDomains);
if(matchDomain==-1){//framebust}
}slide 28
ErrorinRefererChecking
Fromhttp://usbank.attacker.com/<iframesrc=“http://www.usbank.com”>
slide 29
StrategicRelationship?NorwegianStateHouseBankhttp://www.husbanken.no
slide 30
StrategicRelationship?BankofMoscow
http://www.rusbank.org
slide 31
Courtesyoftry{
A=!top.location.href}catch(B){}A=A&&
!(document.referer.match(/^https?:\/\/[-az09.]*\.google\.(co\.|com\.)?[a-z]+\/imgres/i))&&!(document.referer.match(/^https?:\/\/([^\/]*\.)?(myspace\.com|myspace\.cn|simsidekick\.com|levisawards\.com|digg\.com)\//i));
if(A){//Framebust}slide 32
GoogleImagesdoesnot framebust
DoYourTrustedSitesFrameBust?
slide 33
ManyAttacksonRefererHeader
• Openredirectrefererchanger• HTTPS->HTTPredirectchangestheheader• Apparently,hardtogetregularexpressionright
• Trustothersitestoframeyourpages,butwhatifthosetrustedsitescanbeframedthemselves?
slide 34
TypicalFrameBustingCode
if(top.location!=self.location){parent.location=self.location;
}
slide 35
WhoIsYourDaddyParent?
framed1.html<iframe
src=“framed2.html”>
framed2.html<iframe
src=“victim.com”>
slide 36
Double framing!!
WhoIsOnTop?
Iftop.location canbechangedordisabled,thiscodeisuseless
if(top.location !=self.location)top.location =self.location
slide 37
LocationClobbering
• IE7varlocation=“clobbered”;
• Safariwindow.__defineSetter__("location",function(){});
– top.locationnowundefined
slide 38
UserCanStopFrameBusting
• Usercanmanuallycancelanyredirectionattemptmadebyframebustingcode
• Attackerjustneedstoask…<script>window.onbeforeunload =function(){return”DoyouwanttoleavePayPal?";
}</script><iframesrc="http://www.paypal.com">
slide 39
AskNicely
slide 40
…OrDon’tEvenAsk
• Mostbrowsersletattackercanceltherelocationprogrammatically
varprevent_bust=0window.onbeforeunload =function(){kill_bust++}setInterval(function(){
if(kill_bust>0){kill_bust-=2;window.top.location='http://no-content-204.com'}
},1);<iframesrc="http://www.victim.com">
slide 41
X-Frame-Options
• HTTPheadersentwiththepage• Twopossiblevalues:DENY andSAMEORIGIN• DENY:pagewillnotrenderifframed• SAMEORIGIN:pagewillonlyrenderiftopframehasthesameorigin
slide 42
AdoptionofX-Frame-Options• Goodadoptionbybrowsers• Pooradoptionbysites• Limitations
– Per-pagepolicy– Nowhitelistingoforigins– Proxyproblems
slide 43
ContentSecurityPolicy(Firefox4)
• AnotherHTTPheader:frame-ancestorsdirectivecanspecifyallowedframers
• Allowsspecificrestrictionsandabilitiespersite
slide 44
<style>html{visibility:hidden}</style><script>if(self==top){document.documentElement.style.visibility='visible';}else{top.location=self.location;}</script>
BestForNow(StillNotGood)
slide 45