Embed Size (px)
Citation preview
CSE484/CSEM584ComputerSecurity:Lab2&ClickJacking
TA:ThomasCrosleytcrosley@cs
ThankstoFranziRoesner,AdrianSham,andVitalyShmaJkovformanyprevious
slides
LogisJcs/Reminders
• SubmitaccountinfoforLab#2– Link:hNp://goo.gl/forms/rXbXqXKWdY
• Homework#2duetomorrow(8pm).• Nextofficehour:
– KevinandThomas:2-3pm
• Lab#2:Websecurity– Shouldbeouttomorrow
XSSreview
• Cross-sitescripJng(XSS)isatypeofcomputersecurityvulnerabilitytypicallyfoundiswebapplicaJons.
• AllowstheaNackertoinjectJavaScriptintowebpagesviewedbyotherusers.
• JavaScriptcandoalotofthings,likereadingcookiesandex-filtraJngthem.
• SaniJze/validateyourinput• BrowserdetecJon
PHPreview
• Aserver-sideprogramminglanguage• Fileextensionis.php• Beforeawebpageissenttoyou,PHPcodeisexecutedbytheserver
• Youwon’tseethePHPcode,onlyhtml• PHPcanbeusetosetandreadcookiesforauthenJcaJon
• YouwillneedabasicPHPscripttoreceivecapturedcookies
QuickdemoofXSS
BackstorytoLab#2
• Youfinallydecidetoshowyourclick-happyComputerSecurityTAswho’sdaboss.
• UseXSSaNackstostealyourTA’scookies,andthereforeaccessyourgradebooktochangeyourgrade.
• UseaSQLInjecJontoaddyourselftoFranzi’sgoodlist.
Basicsetup
• GivetheTAs(codered.cs)alinkwithaXSSvulnerability.
• TAswill‘visit’thislink,andcookiewillbestolen.
• Theprocessofstealingcookieinvolvessendingittoaplaceyoucontrol.
• Savethecookie,readit,anduseittologinandchangeyourgrade.
• Easy!
Whatyouwillneed
• Firefox,latestversionshouldbeOK– Chromemightwon’twork
• Firebugadd-onforFirefox• SetupalocaJontocollectyourstolenliberatedcookies– Goodplaceishomes.cs,FAQhere:
https://homes.cs.washington.edu/FAQ.html
Overviewofsetup
homes.cs
codered.cs
Hacker(you)
Tips
• BemindfulofSameOriginPolicy– Don’tredirectcodered
• RunJavaScriptlocallybeforesendingtocodered
• WhenURLencoding,becarefulofnew-linesinXSS– BrowsermightstopexecuJngatnewline
• Talktousifsomethingfeelswrong/confusing
ClickJacking
• ClickjackinghappenswhenanaNackerusesdifferenttechniquestohijackclicksmeantfortheirpageandrouJngthemtoanother
• MulJpletechniques– TransparentUIelementsontopofabuNonorlink– TimingbasedaNacks
hNps://www.owasp.org/index.php/Clickjacking
Example
• Videoofclickjacking• hNps://www.youtube.com/watch?v=9V4_emKyAg8
• Userisaskedtoplayagame• BuNonisquicklyswitchedtoa‘save’buNon
• FollowingslidesbyVitalyShmaJkov• hNp://www.cs.utexas.edu/~shmat/courses/cs361s/clickjack.ppt
• ANackeroverlaysmulJpletransparentoropaqueframestotrickauserintoclickingonabuNonorlinkonanotherpage
• Clicksmeantforthevisiblepagearehijackedandroutedtoanother,invisiblepage
Clickjacking(UIRedressing)
slide 14
[Hansen and Grossman 2008]
ClickjackingintheWild
• Googlesearchfor“clickjacking”returns624,000results…thisisnotahypotheJcalthreat!
• Summer2010:FacebookwormsuperimposesaninvisibleiframeovertheenJrepagethatlinksbacktothevicJm'sFacebookpage– IfvicJmisloggedin,automaJcallyrecommendslinktonewfriendsassoonasthepageisclickedon
• ManyclickjackingaNacksagainstTwiNer– Userssendouttweetsagainsttheirwill
slide 15
It’sAllAboutiFrame
• Anysitecanframeanyothersite<iframesrc=“hNp://www.google.com/...”></iframe>
• HTMLaNributes– Style– Opacitydefinesvisibilitypercentageoftheiframe
• 1.0:completelyvisible• 0.0:completelyinvisible
slide 16
HidingtheTargetElement
• UseCSSopacitypropertyandz-indexpropertytohidetargetelementandmakeotherelementfloatunderthetargetelement
• UsingCSSpointer-events: nonepropertytocoverotherelementoverthetargetelement
Click
z-index: -1
opacity: 0.1 pointer-event: none
Click
slide 17
[“Clickjacking: Attacks and Defenses”]
ParJalOverlaysandCropping
• OverlayotherelementsontoaniframeusingCSSz-indexpropertyorFlashWindowModewmode=directproperty
• WraptargetelementinanewiframeandchooseCSSposiJonoffsetproperJes
slide 18
[“Clickjacking: Attacks and Defenses”]
z-index: 1 PayPal iframe PayPal iframe
Drag-and-DropAPI
• Modernbrowserssupportdrag-and-dropAPI• JavaScriptcanuseittosetdatabeingdraggedandreaditwhenit’sdropped
• Notrestrictedbythesameoriginpolicy:datafromoneorigincanbedraggedtoaframe
ofanotherorigin– Reason:drag-and-dropcanonlybeiniJatedbyuser’smousegesture,notbyJavaScriptonitsown
slide 19
[“Next Generation Clickjacking”]
AbusingDrag-and-DropAPI
slide 20
[“Next Generation Clickjacking”]
Frog. Blender. You know what to do.
1. Bait the user to click and start dragging
2. Invisible iframe with attacker’s text field under mouse cursor, use API to set data being dragged
3. Invisible iframe from another origin with a form field
Attack webpage
666666666666666666
With two drag-and-drops (simulated scrollbar, etc.), can select and extract arbitrary content from another origin
Clickjacking
• TrickusersintointeracJngwithsensiJveuserinterfacesinanotherdomain.– Usinginvisibleiframes:
– ExploitpredictableuserJming:hNp://lcamtuf.coredump.cx/ffgeo2/
www.evil.comClickheretowin!!!
FakeCursors
• UseCSScursorpropertyandJavaScripttosimulateafakecursoricononthescreen
slide 22
[“Clickjacking: Attacks and Defenses”]
Real cursor icon Fake cursor icon
cursor: none
ClickjackingusingtheCursor
[FigurefromHuangetal.,“Clickjacking:ANacksandDefenses”,USENIXSecurity,2012]
Keyboard“Strokejacking”
• Simulateaninputfieldge}ngfocus,butactuallythekeyboardfocusisontargetelement,forcingusertotypesomeunwantedinformaJonintotargetelement
slide 24
[“Clickjacking: Attacks and Defenses”]
Transfer
Bank Transfer Bank Account: ________ Amount: ___________ USD
Typing Game Type whatever screen shows to you Xfpog95403poigr06=2kfpx [__________________________]
Attacker’s page Hidden iframe within attacker’s page
9540 3062
