ui-redressing attacks - the process & exploitation
Post on 18-Nov-2014
1.333 Views
Preview:
DESCRIPTION
TRANSCRIPT
Mercedes-Benz Research and Development India
UI-Redressing AttacksThe Process & ExploitationAmol Naik4th Aug 2012
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 20122
Agenda
• Introduction to UI-Redressing attacks• Server-Side Mitigations• Bug Bounties• Target• Tools• CSS Basics• Exploitation Techniques
Mercedes-Benz Research and Development India
3
I am
• Web Application Pentester• Bug Hunter – Google, Facebook, Twitter• Web Challenges Coder for nullcon HackIM since 2011• Winner of ClubHACK preCON 2011 CTF• Active member of Garage4Hackers• Blog at: http://amolnaik4.blogspot.com• Twitter: @amolnaik4
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
Mercedes-Benz Research and Development India
4
UI-Redressing Attacks
•Change User Interface in Browser• Invisible Iframes• CSS Tricks• HTML5 Drag-Drop
•Victims clicks button/link on attacker’s site
•He/She actually clicking on Vulnerable Site
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
Mercedes-Benz Research and Development India
5
UI-Redressing Attacks
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 2012
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 20126
Impact
• One Click Attack• CSRF Protection Bypass• Cross-Domain Content Extraction• Exploit “Self XSS”
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 20127
Server-Side Mitigations
• X-Frame-Options- HTTP Response Header- Supported by all latest browsers
• X-Frame-Options: DENY- The page can not be rendered in a frame, regardless of the site attempting to do
so
• X-Frame-Options: SAMEORIGIN- The page can only be rendered in a frame on the same origin as the page itself
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 20128
Server-Side Mitigations
• Frame Bursting Code- JavaScript- Ensures the current frame is the most top level window
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 20129
Bug Bounties
• Google- Bounty Price upto $3133.7- XSS, CSRF main focus- Researcher will be listed in Google Security Hall of Fame
• Facebook- Bounty price upto $5000- XSS, CSRF, Open Redirect, Database Injection- Researcher will be listed in Facebook WhiteHat List
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201210
Target
• CSRF Protected actions
• Pages with sensitive information in page-source
• Self XSS
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201211
Tools
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201212
CSS Basics
• Opacity- Set Transparency to an element
• Top,Left- Negative values shifts elements out of browser window
• Position- Static (default)- Relative- Absolute- Fixed
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201213
Exploitation Techniques
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201214
Simple Clickjacking
• Google- Remove Google Books Service- FIXED
• Facebook- Add Any Facebook App- FIXED
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201215
Hijack 2 Clicks
• Google- Remove Google Web History, Health & Orkut- FIXED
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201216
Cross-Domain Content Extraction
• Facebook- Get Token from page-source- Use of HTML5 Drag-Drop- Only possible in FireFox 13- FIXED
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201217
Fake Captcha
• Facebook- Get Token- FIXED
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201218
Self-XSS
• Scenario- Input field is vulnerable to XSS- Vulnerable page sends user input to other page- And output is reflected to vulnerable page- Ajax call used to send the user data- GET/POST XSS exploitation method doesn’t work- How to exploit ?
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201219
Self-XSS
• Solution- HTML5 Drag-Drop
• Google- Google Map examples- Google Base examples- FIXED
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201220
Bursting Frame Buster
• Adobe- Adobe Flash Manager Setting page- Discovered & reported by “Nafeez Ahmed AKA skeptic_fx”- “204 No Content” is the trick- FIXED
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201221
Thanks
• Lavakumar K : http://www.andlabs.org• Kotowicz : http://blog.kotowicz.net• Nafeez Ahmed : http://blog.skepticfx.com• Marcus Niemietz : “UI Redressing: Attacks & Countermeasures
Revisited”• OWASP : http://www.owasp.org• Imperva : http://www.imperva.com• W3School : http://www.w3school.com
Mercedes-Benz Research and Development India
UI-Redressing Attacks: The Process & Exploitation | Amol Naik | 4th Aug 201222
Questions
• Amol Naik- http://amolnaik4.blogspot.com- @amolnaik4
top related