UI-Redressing Attacks - The Process & Exploitation by Amol Naik at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html

1. Mercedes-Benz Research and Development India
UI-Redressing Attacks
The Process & Exploitation
Amol Naik
4th Aug 2012

2. Mercedes-Benz Research and Development India
Agenda
• Introduction to UI-Redressing attacks
• Server-Side Mitigations
• Bug Bounties
• Target
• Tools
• CSS Basics
• Exploitation Techniques
2 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

3. Mercedes-Benz Research and Development India
I am
• Web Application Pentester
• Bug Hunter – Google, Facebook, Twitter
• Web Challenges Coder for nullcon HackIM since 2011
• Winner of ClubHACK preCON 2011 CTF
• Active member of Garage4Hackers
• Blog at: http://amolnaik4.blogspot.com
• Twitter: @amolnaik4
3 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

4. Mercedes-Benz Research and Development India
UI-Redressing Attacks
•Change User Interface in Browser
• Invisible Iframes
• CSS Tricks
• HTML5 Drag-Drop
•Victims clicks button/link on attacker’s
site
•He/She actually clicking on Vulnerable
Site
4 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

5. Mercedes-Benz Research and Development India
UI-Redressing Attacks
5 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

6. Mercedes-Benz Research and Development India
Impact
• One Click Attack
• CSRF Protection Bypass
• Cross-Domain Content Extraction
• Exploit “Self XSS”
6 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

7. Mercedes-Benz Research and Development India
Server-Side Mitigations
• X-Frame-Options
- HTTP Response Header
- Supported by all latest browsers
• X-Frame-Options: DENY
- The page can not be rendered in a frame, regardless of the site attempting to do so
• X-Frame-Options: SAMEORIGIN
- The page can only be rendered in a frame on the same origin as the page itself
7 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

8. Mercedes-Benz Research and Development India
Server-Side Mitigations
• Frame Bursting Code
- JavaScript
- Ensures the current frame is the most top level window
8 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

9. Mercedes-Benz Research and Development India
Bug Bounties
• Google
- Bounty Price upto $3133.7
- XSS, CSRF main focus
- Researcher will be listed in Google Security Hall of Fame
• Facebook
- Bounty price upto $5000
- XSS, CSRF, Open Redirect, Database Injection
- Researcher will be listed in Facebook WhiteHat List
9 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

10. Mercedes-Benz Research and Development India
Target
• CSRF Protected actions
• Pages with sensitive information in page-source
• Self XSS
10 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

11. Mercedes-Benz Research and Development India
Tools
11 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

12. Mercedes-Benz Research and Development India
CSS Basics
• Opacity
- Set Transparency to an element
• Top,Left
- Negative values shifts elements out of browser window
• Position
- Static (default)
- Relative
- Absolute
- Fixed
12 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

13. Mercedes-Benz Research and Development India
Exploitation Techniques
13 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

14. Mercedes-Benz Research and Development India
Simple Clickjacking
• Google
- Remove Google Books Service
- FIXED
• Facebook
- Add Any Facebook App
- FIXED
14 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

15. Mercedes-Benz Research and Development India
Hijack 2 Clicks
• Google
- Remove Google Web History, Health & Orkut
- FIXED
15 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

16. Mercedes-Benz Research and Development India
Cross-Domain Content Extraction
• Facebook
- Get Token from page-source
- Use of HTML5 Drag-Drop
- Only possible in FireFox 13
- FIXED
16 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

17. Mercedes-Benz Research and Development India
Fake Captcha
• Facebook
- Get Token
- FIXED
17 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

18. Mercedes-Benz Research and Development India
Self-XSS
• Scenario
- Input field is vulnerable to XSS
- Vulnerable page sends user input to other page
- And output is reflected to vulnerable page
- Ajax call used to send the user data
- GET/POST XSS exploitation method doesn’t work
- How to exploit ?
18 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

19. Mercedes-Benz Research and Development India
Self-XSS
• Solution
- HTML5 Drag-Drop
• Google
- Google Map examples
- Google Base examples
- FIXED
19 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

20. Mercedes-Benz Research and Development India
Bursting Frame Buster
• Adobe
- Adobe Flash Manager Setting page
- Discovered & reported by “Nafeez Ahmed AKA skeptic_fx”
- “204 No Content” is the trick
- FIXED
20 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

21. Mercedes-Benz Research and Development India
Thanks
• Lavakumar K : http://www.andlabs.org
• Kotowicz : http://blog.kotowicz.net
• Nafeez Ahmed : http://blog.skepticfx.com
• Marcus Niemietz : “UI Redressing: Attacks & Countermeasures
Revisited”
• OWASP : http://www.owasp.org
• Imperva : http://www.imperva.com
• W3School : http://www.w3school.com
21 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012

22. Mercedes-Benz Research and Development India
Questions
• Amol Naik
- http://amolnaik4.blogspot.com
- @amolnaik4
22 UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012