OWASP AppSec Research The OWASP Foundation New Insights into Clickjacking

Similar documents
UI Redressing: Attacks and Countermeasures Revisited

CS 161 Computer Security

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

The security of Mozilla Firefox s Extensions. Kristjan Krips

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Web Security. Course: EPL 682 Name: Savvas Savva

CS 361S. Clickjacking. Vitaly Shmatikov

Jared Moore

P2_L12 Web Security Page 1

More attacks on clients: Click-jacking/UI redressing, CSRF

Online Detection & Prevention of Clickjacking Attacks

Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications

XSS Homework. 1 Overview. 2 Lab Environment

A Course Module on Clickjacking

Base64 The Security Killer

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

Testing login process security of websites. Benjamin Krumnow

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Chrome Extension Security Architecture

Web Security Part B. Davide Balzarotti

What is framebusting?

Detecting XSS Based Web Application Vulnerabilities

HTML5: Something wicked this way comes. Krzysztof Kotowicz Securing

Analysis and Detection of Clickjacking on Facebook


Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Finding Vulnerabilities in Web Applications

You Are Being Watched Analysis of JavaScript-Based Trackers

Hacking Intranet Websites from the Outside

Web basics: HTTP cookies

HTTP Parameter Pollution Vulnerabilities in Web Applications

Information Security CS 526 Topic 11

On the fragility and limitations of current Browser-provided Clickjacking protection schemes

Web basics: HTTP cookies

Hovering Patterns: Clickjacking Defense Technique

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Client Side Injection on Web Applications

[Rajebhosale*, 5(4): April, 2016] ISSN: (I2OR), Publication Impact Factor: 3.785

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Information Security CS 526 Topic 8

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Secure Frame Communication in Browsers Review

Penetration Test Report

Ethical Hacking. Content Outline: Session 1

Web Security: Authentication & UI-based attacks

CSC 482/582: Computer Security. Cross-Site Security

Chrome and IE comparisons

Wednesday, 10 October 2012 PRELIMINARY SLIDES

Web Security: 1) UI-based attacks 2) Tracking on the web

last time: command injection

Automated Detection of HPP Vulnerabilities in Web Applications. Marco `embyte` Balduzzi

arxiv: v1 [cs.cr] 5 Sep 2013

Automated Detection of HPP Vulnerabilities in Web Applications. Marco `embyte` Balduzzi

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

NET 311 INFORMATION SECURITY

Web Security II. Slides from M. Hicks, University of Maryland

Computer Security CS 426 Lecture 41

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

Web Application Security. Philippe Bogaerts

Detecting Drive-by-Download Attacks based on HTTP Context-Types Ryo Kiire, Shigeki Goto Waseda University

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

CS 142 Winter Session Management. Dan Boneh

Combating Common Web App Authentication Threats

CSCD 303 Essential Computer Security Fall 2017

Introduction. Logging in. WebQuarantine User Guide

Copyright

Overtaking Google Desktop Leveraging XSS to Raise Havoc. 6 th OWASP AppSec Conference. The OWASP Foundation

Proposal for Virtual Web Browser by Using HTML5

PhishEye: Live Monitoring of Sandboxed Phishing Kits. Xiao Han Nizar Kheir Davide Balzarotti

CS 161 Computer Security

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Attacks on Clients: JavaScript & XSS

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

Web Application Security

Web Security: XSS; Sessions

Large-Scale Analysis of Style Injection by Relative Path Overwrite

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Validation of Web Alteration Detection using Link Change State in Web Page

Detecting Malicious Web Links and Identifying Their Attack Types

hardening the Web with NoScript

Developing Web Applications

CS 161 Computer Security

Integrity attacks (from data to code): Cross-site Scripting - XSS

Robust Defenses for Cross-Site Request Forgery Review

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

CSCE 120: Learning To Code

Sichere Webanwendungen mit Java

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Browser code isolation

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

CIS 5373 Systems Security

Robust Defenses for Cross-Site Request Forgery

Manually Create Phishing Page For Facebook 2014

Website Report for test.com

Online Security and Safety Protect Your Computer - and Yourself!

HOSTED CONTACT CENTRE

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

PREVENTING CLICK EVENT HIJACKING BY USER INTENTION INFERENCE

Transcription:

New Insights into Clickjacking Marco `embyte` Balduzzi iseclab @ EURECOM embyte@iseclab.org AppSec Research 2010 Joint work with Egele, Kirda, Balzarotti and Kruegel Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

Clickjacking Recent web threat, introduced by Robert Hansen and Jeremy Grossman in September 2008 Construct a malicious web-page (benign site with a XSS vulnerability) to trick the user into performing unintended clicks that are advantageous for the attacker Propagate worms, steal confidential information (passwords, cookies), send spam, delete personal e- mails, etc... Attracted a broad attention by the security industry and the web community Objectives Determinate the prevalence of clickjacking on the Internet 2

The Twitter bomb Self-replicating message that is twitter via Clickjacking Abuse of some HTML/CSS features (transparent IFRAMEs) <IFRAME style={z-index:2; opacity:0; filter:alpha(opacity=0); } scrolling= no src= http://www.twitter.com/?status=... > The same attack can be reused to spread malware through driveby-download sites, to send spam messages or to steal confidential information February 2009, Mahemoff, Explaining the Don't Click Clickjacking Tweetbomb http://softwareas.com/explaining-the-dont-click-clickjacking-tweetbomb 3

Approach All-in-one solution Combine a testing unit with a detection unit Automated Instruct a browser to simulate user-real actions (clicks, scroll) Automate the testing on multiple sequential pages Efficient detection Analyze the clicks with two independent browser plug-ins Detect possible clickjacking attacks Collect statistics on the visited pages 4

Testing interaction (x, y) (x, y) (x1, y1) (x2, y2) (x3, y3) (x4, y4) Application logic URLs 5

Detection clicks Browser subsystem click is discarded Alert! Alert! 6

Experiments [1/2] Validation of the tool on 5 test cases Initial seed of 70,000 unique URLs: Popular: Alexa's Top 1000 Social-networks: 20.000 MySpace public profiles Google and Yahoo queries for malicious keywords (download warez, free ringtones, porn, etc...) Phishing URLs from PhishTank Malicious domains for MalwareDomains Sites accessed by Anubis's malwares Fed into a crawler that generates: 1,065,420 online Internet pages 830,000 unique domains 7

Experiments [2/2] 10 Linux Virtual Machines 2 months (71 days) 15,006 pages/day 92% of the visited pages embeds elements such as links and forms 143 million clickable elements Frame statistics: 3.3% standard Frames 37.3% Iframes Only 0.16% were transparent 8

Discussion True Positives Identified two real-world clickjacking attacks 1) Click fraud: Tricks users into clicking on a transparent Iframe that contain a concealed banner 2) Twitter attack: anti-clickjacking defense in place (if iframed with empty content) Examples posted on security-related sites Not aware of them. Detected automatically. substitute Detection Total True Positives Borderlines False Positives ClickIDS 137 2 5 130 NoScript 535 2 31 502 Both 6 2 0 4 9

NoScript: ClickIDS: Discussion False Positives 1. Pop-ups that appear in response to particular events 2. Iframed banners in the proximity of the click 3. Hidden Iframes located outside the page margins 1. Visible Iframes that overlap and contain clickable elements Observed multiple sites that were Frame-defaced : A javascript loads the attacker page and displays it fullscreen ( Clickjacking through a stored-xss?) Detection Total True Positives Borderlines False Positives ClickIDS 137 2 5 130 NoScript 535 2 31 502 Both 6 2 0 4 10

Discussion of Borderline Cases Reverse Clickjacking A cross-domain Iframe is encapsulated into a link tag: <A href= http://evil.com ><IFRAME src= http://site.com /></A> Users interact with the framed page site.com, but the clicks are grabbed by the link tag and sent to evil.com 505 Frame Iframe with CSS-transparent background Allowtransparency: true & background-color: transparent Normally employed for banner or blogging systems 11

What have we learned? Iframes are largely adopted on the Internet and it seems that have overcome traditional frames a new attack vector? Very few transparent Frames (~3%) Despite of the wide media coverage we observed very few clickjacked pages and a bunch of borderline cases Clickjacking is not among the preferred attack vector adopted by miscreants on the Internet It is complicated to setup and is not easily portable (different browsers / configurations render the page differently) 12

Looking at the future [1/2] Facebook worms that use clickjacking (11/09 and 05/10) Propagation on the own profile References: [A] Krzysztof Kotowicz, New Facebook clickjacking attacks on the wild http://blog.kotowicz.net/2009/12/new-facebook-clickjagging-attack-in.html [B] Joey Tyson, Facebook worm uses clickjacking in the wild http://theharmonyguy.com/2009/11/23/facebook-worm-uses-clickjacking-in-the-wild [C] May 2010 Worms, Attack spreading through likes http://mashable.com/2010/05/31/facebook-like-worm-clickjack/ 13

Looking at the future [2/2] Use of javascript to position the hidden Iframe Use of URL fragment identifiers to accurately align the frame content Inject controlled text into a form field using the browser's drag-and-drop API (HTML5) same-origin policy does not applied here Java allow to override the default behavior the drag with a simple click Steal the content (and HTML) of a cross-domain page initiate Stone, BH Europe 2010, Next generation clickjacking: http://contextis.co.uk/resources/white-papers/clickjacking/context-clickjacking_white_paper.pdf 14

Some mitigation techniques The HTTP X-FRAME-OPTIONS header (proposed my Microsoft and adopted by IE8, Chrome, Opera, Safari, NoScript) The use of frame-busting: if (top.location.hostname!= self.location.hostname) top.location.href = self.location.href; Thwarted by forcing IE to treat the site as restricted (javascript disabled) Other variants go around this issue [1] A recent paper discusses this problem in detail [2] The ClearClick feature offered by NoScript or ClickIDS, or both :-) Server-side: CAPTCHAs to protect sensitive actions 15

More references [1] Preventing Frame Busting and Click Jacking (UI Redressing) http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing/ [2] Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites http://w2spconf.com/2010/papers/p27.pdf A Solution for the Automated Detection of Clickjacking Attacks, http://www.iseclab.org/people/embyte/papers/asiaccs122-balduzzi.pdf The International Secure System Lab: 3 Location: Vienna, Santa Barbara (CA), South-France Riviera Applied research in: Web Security Web 2.0 Privacy (Social-Networks) Malware Analysis Botnets Detection 16

Motivations: Summary Analyze a recent web threat that has received wide media coverage Approach: All-in-one solution for an automated testing and detection of clickjacking attacks Experiments: One million live Internet sites Found 2 real cases and some borderline attacks Is currently Clickjacking posing an important threat for the Internet users? Thanks! 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback