more attacks on clients clickjacking ui redressing csrf
play

More attacks on Clients: Clickjacking/UI redressing, CSRF (Section - PowerPoint PPT Presentation

Oct 07, 2023 •106 likes •409 views

Software and Web Security 2 More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7 2 7 on CSRF) Section 7.2.7 on CSRF) sws2 1 2 Clickjacking & UI redressing sws2 Click jacking & UI

  1. Software and Web Security 2 More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7 2 7 on CSRF) Section 7.2.7 on CSRF) sws2 1

  2. 2 Clickjacking & UI redressing sws2

  3. Click jacking & UI redressing j g g • These attacks try to confuse the user into unintentionally doing something that the attacker wants – typically clicking some link but something that the attacker wants typically clicking some link but sometimes also supplying text input in fields • • These attacks abuse the trust that the user has in a webpage and in These attacks abuse the trust that the user has in a webpage and in his browser – ie the implicit trust the user has in what he sees • Some people treat click jacking and UI redressing as synonyms. Others regard click jacking as a simple form of UI redressing, or as an ingredient d li k j ki i l f f UI d i i di for UI redressing. • T To add to the confusion, these attacks are often in combination of CSRF or dd t th f i th tt k ft i bi ti f CSRF XSS sws2 3

  4. Basic click-jacking j g Make the victim unintentionally click on some link <a onMouseUp="window open('http://mafia org/') <a onMouseUp="window.open('http://mafia.org/') href="http://www.overheid.nl">Trust me, it is safe to click here, you will simply go to overheid.nl</a> Why? • click fraud Here instead of mafia.com, the link being click jacked would be a link for an H i t d f fi th li k b i li k j k d ld b li k f advertisement. • some unwanted side-effect of clicking the link, esp. if the user is automatically authenticated by the target website (eg. with a cookie) Here instead of mafia.com, the link being click jacked would be a link to a genuine website the attacker wants to target. genuine website the attacker wants to target. Demo: see http://www.cs.ru.nl/~erikpoll/sws2/demo/clickjacking_basic.html sws2 4

  5. Click fraud • in online advertising, web sites that publish ads are paid for the number of click-throughs, ie. number of their visitors that click on number of click throughs, ie. number of their visitors that click on these ads • click fraud: attacker tries to generate lots of clicks on ads that are not from genuinely interesting visitors not from genuinely interesting visitors • Motivations for the attacker 1. generating revenue for the web site hosting the ad, or 2. generating cost for a competitor who pays for these clicks (Does that really happen, or is that simply a claim by Google to make click fraud seem morally wrong?) Other forms of click fraud, apart from click jacking: • Click farms (hiring individuals to manually click ads) • Pay-to-click sites (pyramid schemes created by publishers) P t li k it ( id h t d b bli h ) • Click bots (software to automate clicking) • Botnets (hijacked computers utilized by click bots) sws2 5

  6. UI (user interface) redressing (not in book!) ( ) g Attacker creates a malicious web page that includes elements of a target website target website • typically using iframes (inline frames) A frame is a part of a web page, a sub-window in the browser window. An internal frame - iframe - allows more flexible nesting and overlapping • possibly including transparent layers, to make elements invisible – this is not needed when the attackers steals buttons with non- this is not needed when the attackers “steals” buttons with non specific text from the target website, such as Examples http://www.cs.ru.nl/~erikpoll/sws2/demo/clickjack_radboudnet_using_UI_redressing.html http://www.cs.ru.nl/~erikpoll/sws2/demo/clickjack_bb_using_UI_redressing.html (turn of JavaScript for this one) http://www.cs.ru.nl/~erikpoll/sws2/demo/clickjack_some_button_transparent.html sws2 6

  7. 7 UI redressing sws2

  8. 8 UI redressing sws2

  9. Clickjacking and UI redressing j g g • These attacks try to abuse the trust that the user has in a web page – in what user sees in his browser i h t i hi b • These attacks also abuse the trust that the web server has in the These attacks also abuse the trust that the web server has in the browsers – namely, the web server implicitly trust all actions from the web bro ser are actions that the browser are actions that the user willingly & intentionally ser illingl & intentionall performed sws2 9

  10. Variations of clickjacking j g • Likejacking and sharejacking • • cookiejacking – in old versions of Internet Explorer cookiejacking in old versions of Internet Explorer • filejacking – unintentional uploads in Google Chrome • eventjacking • cursorjacking • classjacking • double clickjacking double clickjacking • content extraction • pop-up blocker bypassing • strokejacking t k j ki • event recycling • svg masking • tapjacking on Android phones • ... sws2 10

  11. 11 Clickjacking & UI redressing Countermeasures against Countermeasures against sws2

  12. Frame busting A website can take countermeasures to prevent being used in frames. This is called frame busting: the website tries to bust any frames it is This is called frame busting: the website tries to bust any frames it is included in, typically using JavaScript Example JavaScript code for frame busting, using the DOM E l J S i t d f f b ti i th DOM if (top!=self){ top.location.href = self.location.href } top in DOM is for the top or outer window, self is the current window. Lots of variations are possible. Some frame busting code is more robust than others others. For an example, you can try the Blackboard webpage, which uses JavaScript to bust frames, eg http://www.cs.ru.nl/~erikpoll/sws2/demo/clickjack_bb_using_UI_redressing.html sws2 12

  13. X-Frame options • Introduced by Microsoft in 2008 • X F X-Frame-Options in HTTP response header indicate if page can be O ti i HTTP h d i di t if b loaded as frame inside another page. • Possible values – DENY never allowed – SAMEORIGIN only allowed if other page has same origin – ALLOW-FROM uri – ALLOW-FROM uri only allowed for specific URI (Only only allowed for specific URI (Only ?) ?) • Advantage over frame busting: no JavaScript required. sws2 13

  14. Browser protection against UI redressing The Firefox extension NoScript extension has a ClearClick option, th t that warns when clicking or typing on hidden elements h li ki t i hidd l t sws2 14

  15. 15 (formerly also called XSRF) CSRF CSRF sws2

  16. CSRF (Cross-Site Request Forgery) ( g y) A malicious website causes a visitor to unwittingly issue a HTTP request on another website, that trusts this user (eg due to cookie) t th b it th t t t thi ( d t ki ) In the simplest form, this can be done with just a link, eg <a href=“http://bank.com/transferMoney?amount=1000 < h f “htt //b k /t f M ? t 1000 &toAccount=52.12.57.762”> malicious web site naive bank.com sws2 16

  17. CSRF Ingredients • • malicious link or javascript on attacker’s website malicious link or javascript on attacker s website • abusing automatic authentication by cookie at targeted website Attacker only has to lure victims to his site while they are logged on, Requirements • the victim must have a valid cookie for the attacked website • th t it that site must have actions which only require a single HTTP t h ti hi h l i i l HTTP request It’s a bit like click-jacking, except that it can be more than just a link, and it does not involve UI redressing. sws2 17

  18. CSRF on GET vs POST requests Action on the targeted website might need a POST or GET request. Recall: GET parameters in URL POST parameters in body Recall: GET parameters in URL, POST parameters in body. • For action with a GET request: q Easy! The attacker can even use an image tag <img..> to execute the request <img scr=“http://bank.com/transfer?amount=1000 <i “htt //b k /t f ? t 1000 &toAccount=52.12.57.762”> • For action with a POST request: Trickier. The attacker cannot append data in the URL. Instead, the attacker can use JavaScript on his web site to make a I t d th tt k J S i t hi b it t k form which then results in a POST request to the target website. sws2 18

  19. CSRF of a POST request using JavaScript g If bank.com uses <form action=”transfer.php” method=”POST”> To: <input type=”text” name=”to”/> Amount: <input type=”text” name=”amount”/> <input type=”submit” value=”Submit”/> </form> attacker could use attacker could use <form action=”http://bank.com/transfer.php” method=”POST”> <input type=”hidden” name=”to” value=”52.12.57.762”/> <input type=”hidden” name=”amount” value=”1000” /> <i t t ”hidd ” ” t” l ”1000” /> <input type=”submit”/> </form> <script> document.forms[0].submit(); </script> 0 / Note: no need for the victim to click anything sws2 19

  20. 20 Countermeasures against CSRF sws2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide

Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide

Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide content (Vern Paxson) Misleading users Browser assumes that clicks and keystrokes = clear indication of what the user wants to do Constitutes

567 views • 24 slides
UI Redressing A-acks on Android Devices Marcus Niemietz

UI Redressing A-acks on Android Devices Marcus Niemietz

UI Redressing A-acks on Android Devices Marcus Niemietz Ruhr-University Bochum Horst Grtz InsAtute German Book Clickjacking und UI-Redressing

879 views • 54 slides
Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced

Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced

Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced Security Topics Name: Soteris Constantinou Instructor: Dr. Elias Athanasopoulos Authors: Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart

1.65k views • 81 slides
SY306 Web and Databases for Cyber Operations Slide Set #3: CSS

SY306 Web and Databases for Cyber Operations Slide Set #3: CSS

SY306 Web and Databases for Cyber Operations Slide Set #3: CSS http://www.w3schools.com/css/default.asp Style! 1 ClickJacking Attack! Past Clickjacking attacks By loading Adobe Flash plugin settings page into an invisible iframe, an

211 views • 18 slides
Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on

Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on

Software and Web Security 2 Software and Web Security 2 Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Last week: web server can be attacked

829 views • 43 slides
Attacks on Clients: Dynamic Content &amp; XSS (Section 7.1.3 on JavaScript; 7.2.4 on Media

Attacks on Clients: Dynamic Content &amp; XSS (Section 7.1.3 on JavaScript; 7.2.4 on Media

Software and Web Security 2 Attacks on Clients: Dynamic Content &amp; XSS (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Recap from last lecture Attacks on web server: attacker/client sends malicious input

835 views • 56 slides
Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting

516 views • 26 slides
Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/

Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/

Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University of California, Berkeley Clickjacking is a malicious technique of tricking a Web user into clicking on something

753 views • 39 slides
A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick browser to execute code without user knowledge CSRF Trick browser to access sensitive pages without user knowledge CSRF Vulnerability Pattern

284 views • 11 slides
Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me David Johansson (@securitybits) Security consultant since 2007 Helping clients design and build secure software Security training Based in

821 views • 25 slides
Security Psychology Topics Weve Covered Ethics Distributed Systems (and attacks

Security Psychology Topics Weve Covered Ethics Distributed Systems (and attacks

Security Psychology Topics Weve Covered Ethics Distributed Systems (and attacks thereof) XSS CSRF SQL injection Most of these attacks are enabled by social engineering. Todays Class Pretexting Phishing

587 views • 25 slides
Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth

Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth

Software and Web Security 2 More attacks on Clients: More attacks on Clients: Privacy (Section 7.2.5 on Privacy Attacks) sws2 1 [Peter Steiner,1993] 2 myth reality y y Welcome user29. (IP address: (IP address:

691 views • 50 slides
Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF Presentation Vulnerability Advanced Web Technology CSRF allows to access the intranet Protection 10) XSS, CSRF and SQL Injection

559 views • 10 slides
SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

287 views • 11 slides
CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site Request Forgery Definition Example OWASP: Login: csrf.vulnerable.page Cross-Site Request Forgery Set-Cookie:session=1a2b3c; (CSRF) is an attack

721 views • 14 slides
Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these

Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these

Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these attacks are similar to TOCTTOU (Time of Check to Time of Use) vulnerabilities From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al,

376 views • 14 slides
Propositional models Start with a fixed number of boolean variables called the vocabulary : e.g. a

Propositional models Start with a fixed number of boolean variables called the vocabulary : e.g. a

1/22/2010 Propositional models Start with a fixed number of boolean variables called the vocabulary : e.g. a , b , c . Each boolean Historical models of computation variable represents a proposition, for example &quot;today it is raining&quot;.

416 views • 6 slides
Review: Why We Use Caches Caches Review Mechanism for transparent movement of Proc 1000

Review: Why We Use Caches Caches Review Mechanism for transparent movement of Proc 1000

Review: Why We Use Caches Caches Review Mechanism for transparent movement of Proc 1000 CPU data among levels of a storage hierarchy 60%/yr. Moores Law Performance set of address/value bindings address index to

966 views • 11 slides
Boris Babenko, Steve Branson, Serge Belongie University of California, San Diego ICCV 2009, Kyoto,

Boris Babenko, Steve Branson, Serge Belongie University of California, San Diego ICCV 2009, Kyoto,

Boris Babenko, Steve Branson, Serge Belongie University of California, San Diego ICCV 2009, Kyoto, Japan Recognizing multiple categories Recognizing multiple categories Need meaningful similarity metric / feature space Recognizing

542 views • 31 slides
Propositional Logic: Semantics Alice Gao Lecture 4, September 19, 2017 Semantics 1/56

Propositional Logic: Semantics Alice Gao Lecture 4, September 19, 2017 Semantics 1/56

Propositional Logic: Semantics Alice Gao Lecture 4, September 19, 2017 Semantics 1/56 Announcements Semantics 2/56 The roadmap of propositional logic Semantics 3/56 FCC spectrum auction an application of propositional spectrums to

1.3k views • 56 slides
ts rt

ts rt

ts rt trsrts s rtrts

925 views • 60 slides
Answer Set Solving in Practice Torsten Schaub University of Potsdam torsten@cs.uni-potsdam.de

Answer Set Solving in Practice Torsten Schaub University of Potsdam torsten@cs.uni-potsdam.de

Answer Set Solving in Practice Torsten Schaub University of Potsdam torsten@cs.uni-potsdam.de Potassco Slide Packages are licensed under a Creative Commons Attribution 3.0 Unported License. Torsten Schaub (KRR@UP) Answer Set Solving in

1.83k views • 168 slides
Fugue: Annotations for Protocol Checking Reading: The Fugue Protocol Checker: Is Your Software

Fugue: Annotations for Protocol Checking Reading: The Fugue Protocol Checker: Is Your Software

Fugue: Annotations for Protocol Checking Reading: The Fugue Protocol Checker: Is Your Software Baroque? 17-654/17-765 Analysis of Software Artifacts Jonathan Aldrich Find the Bug! 2/22/2005 4 Find the Bug! 2/22/2005 6 Specifications(1)

338 views • 15 slides
Metal, Continued Reading: Checking System Rules Using System-Specific, Programmer-Written

Metal, Continued Reading: Checking System Rules Using System-Specific, Programmer-Written

Metal, Continued Reading: Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions 17-654/17-754 Analysis of Software Artifacts Jonathan Aldrich Assertion Side-Effects Flags error if assert() has side effects

422 views • 13 slides

More recommend