Secure your site from clickjacking attacks
•Télécharger en tant que PPTX, PDF•
6 j'aime•2,890 vues
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (20)
Similaire à Secure your site from clickjacking attacks
Similaire à Secure your site from clickjacking attacks (20)
Dernier
Dernier (20)
Secure your site from clickjacking attacks
- 1. Developer Conference 2011 MICROSOFT USER GROUP HYDERABAD
- 2. It is this easy to steal your click! (Secure Web Development) Krishna Chaitanya T Security & Privacy Research Lab, Infosys Labs Microsoft MVP - Internet Explorer http://novogeek.com | @novogeek
- 3. Agenda! Saw these on Facebook? Your genuine web page can be victim as well! Lets secure!!
- 4. Clickjacking Discovered in 2008-Robert Hansen, Jeremiah Grossman Forces a victim to unintentionally click on invisible page Made possible by overlaying transparent layers Basic clickjacking: Positioning via CSS (JS not required!) Follow mouse cursor via JS Advanced techniques: Clickjacking + XSS Clickjacking + CSRF Clickjacking + HTML5 Drag/Drop API
- 5. The mischievous <iFrame> tag A web page can embed another web page via iframe <iframesrc="http://bing.com"></iframe> CSS opacity attribute: 1 = visible, 0 = invisible
- 6. Clickjacking using CSS & JS demo
- 7. Frame Busting! Techniques for preventing your site from being framed Common frame busting code: if (top != self) { //condition top.location = self.location; //counter action }
- 8. Survey Acknowledgement:All survey content from Stanford Web Security Research Lab
- 10. Error in Referrer checking. Attacker URL can be: http://usbank.attacker.com
- 12. Prevents XSS
- 16. X-Frame-Options The savior! Innovative idea introduced by Microsoft in IE8 HTTP header sent on response. Possible values- “DENY” and “SAMEORIGIN” Implemented by most of the modern browsers Need not depend on JavaScript! Ex: Response.AddHeader("X-Frame-Options", "DENY"); Limitations: Poor adoption by sites (Coz of developer ignorance!) No whitelisting – Either block all, or allow all. Nevertheless, advantages outweigh disadvantages. Content Security Policy (CSP) introduced by Mozilla
- 17. Best JS solution <style>html { visibility: hidden }</style> <script> if (self == top) { document.documentElement.style.visibility = 'visible'; } else { top.location = self.location; } </script>
- 18. Frame Busting (X - Frame - Options & JavaScript solutions) demo
- 19. Its your turn now! Are your sites clickjacking proof? Think about a one-click approval button being clickjacked! Go back and add X-Frame-Options header to your web projects at office (and earn goodwill of your boss ) If you are on old browsers, have JS protection in place If a link on Facebook opens a new window, be highly cautious and avoid clicking. Inquisitive? Check for hidden <iframe> ;) Check your social apps and revoke access if not used. We learnt to break things to build better things. Ethics plz!
- 20. References “Busting frame busting: a study of clickjacking vulnerabilities at popular sites” – Research paper by Stanford Web Security researchers. Birth of a Security Feature: ClickJackingDefense-IE Blog IE8 Security part VII – Clickjacking Defenses – IE Blog
- 21. I’m Done! Blog: novogeek.com Twitter: @novogeek
- 22. Sponsors