2. It is this easy to steal your click! (Secure Web Development) Krishna Chaitanya T Security & Privacy Research Lab, Infosys Labs Microsoft MVP - Internet Explorer http://novogeek.com | @novogeek
3. Agenda! Saw these on Facebook? Your genuine web page can be victim as well! Lets secure!!
4. Clickjacking Discovered in 2008-Robert Hansen, Jeremiah Grossman Forces a victim to unintentionally click on invisible page Made possible by overlaying transparent layers Basic clickjacking: Positioning via CSS (JS not required!) Follow mouse cursor via JS Advanced techniques: Clickjacking + XSS Clickjacking + CSRF Clickjacking + HTML5 Drag/Drop API
5. The mischievous <iFrame> tag A web page can embed another web page via iframe <iframesrc="http://bing.com"></iframe> CSS opacity attribute: 1 = visible, 0 = invisible
7. Frame Busting! Techniques for preventing your site from being framed Common frame busting code: if (top != self) { //condition top.location = self.location; //counter action }
16. X-Frame-Options The savior! Innovative idea introduced by Microsoft in IE8 HTTP header sent on response. Possible values- “DENY” and “SAMEORIGIN” Implemented by most of the modern browsers Need not depend on JavaScript! Ex: Response.AddHeader("X-Frame-Options", "DENY"); Limitations: Poor adoption by sites (Coz of developer ignorance!) No whitelisting – Either block all, or allow all. Nevertheless, advantages outweigh disadvantages. Content Security Policy (CSP) introduced by Mozilla
19. Its your turn now! Are your sites clickjacking proof? Think about a one-click approval button being clickjacked! Go back and add X-Frame-Options header to your web projects at office (and earn goodwill of your boss ) If you are on old browsers, have JS protection in place If a link on Facebook opens a new window, be highly cautious and avoid clicking. Inquisitive? Check for hidden <iframe> ;) Check your social apps and revoke access if not used. We learnt to break things to build better things. Ethics plz!
20. References “Busting frame busting: a study of clickjacking vulnerabilities at popular sites” – Research paper by Stanford Web Security researchers. Birth of a Security Feature: ClickJackingDefense-IE Blog IE8 Security part VII – Clickjacking Defenses – IE Blog