what is frame busting what is frame busting
play

What is frame busting? What is frame busting? HTML allows for any - PowerPoint PPT Presentation

Apr 05, 2023 •19 likes •539 views

What is frame busting? What is frame busting? HTML allows for any site to frame any URL with an IFRAME (internal frame) <iframe src=http://www.google.com> Ignored by most browsers </iframe> What is frame busting?

  2. What is frame busting?

  3. What is frame busting? HTML allows for any site to frame any URL with an IFRAME • (internal frame) <iframe src=“http://www.google.com”> Ignored by most browsers </iframe>

  4. What is frame busting? • Frame busting are techniques for preventing framing by the framed site.

  5. What is framebusting? Common frame busting code is made up of: • a conditional statement • a counter action if (top != self) { top.location = self.location; }

  6. Why frame busting?

  7. Primary: Clickjacking Jeremiah Grossman and Robert Hansen, 2008

  8. Clickjacking 2.0 (Paul Stone, BHEU ‘10) Utilizing drag and drop: Grab data off the page (including source code, form data) Get data into the page (forms etc.) Fingerprint individual objects in the framed page

  9. Survey • Idea: Grab frame busting from Alexa Top-500 and all US banks. Analyze code. • Used semi-automated crawler based on HTMLUnit. • Manual work to trace through obfuscated and packed code.

  10. Obfuscation/Packing 

  11. Survey Sites Framebusting Top 10 60% Top 100 37% Top 500 14%

  12. Survey Conditional Statements if (top != self) if (top.location != self.location) if (top.location != location) if (parent.frames.length > 0) if (window != top) if (window.top !== window.self) if (window.self != window.top) if (parent && parent != window) if (parent && parent.frames && parent.frames.length>0) if((self.parent&& !(self.parent===self))&& (self.parent.frames.length!=0))

  13. Counter-Action Statements top.location = self.location top.location.href = document.location.href top.location.href = self.location.href top.location.replace(self.location) top.location.href = window.location.href top.location.replace(document.location) top.location.href = window.location.href top.location.href = "URL" document.write(’’) top.location = location top.location.replace(document.location) top.location.replace(’URL’) top.location.href = document.location top.location.replace(window.location.href) top.location.href = location.href self.parent.location = document.location parent.location.href = self.document.location top.location.href = self.location top.location = window.location top.location.replace(window.location.pathname) window.top.location = window.self.location setTimeout(function(){document.body.innerHTML=’’;},1); window.self.onload = function(evt){document.body.innerHTML=’’;} var url = window.location.href; top.location.replace(url)

  14. All frame busting code we found was broken.

  15. Let’s check out some code.

  16. Courtesy of Walmart if (top.location != location) { if(document.referrer && document.referrer.indexOf("walmart.com") == -1) { top.location.replace(document.location.href); } }

  17. Error in Referrer Checking From http://www.attacker.com/walmart.com.html <iframe src=“http://www.walmart.com”> Limit use of indexOf()…

  18. Courtesy of if (window.self != window.top && !document.referrer.match( /https?:\/\/[^?\/]+\.nytimes\.com\//)) { self.location = top.location; }

  19. Error in Referrer Checking From http://www.attacker.com/a.html?b=https://www.nytimes.com/ <iframe src=“http://www.nytimes.com”> Anchor your regular expressions.

  20. Courtesy of if (self != top) { var domain = getDomain (document.referrer); var okDomains = /usbank|localhost|usbnet/; var matchDomain = domain.search (okDomains); if (matchDomain == -1) { //frame bust } }

  21. Error in Referrer Checking From http://usbank.attacker.com/ <iframe src=“http://www.usbank.com”> Don’t make your regular expressions too lax.

  22. Strategic Relationship? Norweigan State House Bank http://www.husbanken.no

  23. Strategic Relationship? Bank of Moscow http://www.rusbank.org

  24. Courtesy of try{ A=!top.location.href }catch(B){} A=A&& !(document.referrer.match(/^https?:\/\/[-az09.] *\.google\.(co\.|com\.)? [a-z] +\/imgres/i))&& !(document.referrer.match(/^https?:\/\/([^\/]*\.)? (myspace\.com| myspace\.cn| simsidekick\.com| levisawards\.com| digg\.com)\//i)); if(A){ //Framebust }

  25. The people you trust might not frame bust Google Images does not framebust.

  26. Referrer = Funky Stuff Many attacks on referrer: washing/changing Open redirect referrer changer HTTPS->HTTP washing Can be hard to get regular expression right (apparently) “Friends” cannot be trusted

  27. Facebook Dark Layer

  28. Courtesy of Facebook Facebook deploys an exotic variant: • if (top != self) { try { if (top.location.hostname.indexOf("apps") >= 0) throw 1; } catch (e) { window.document.write("<div style= 'background: black; opacity: 0.5; filter: alpha(opacity = 50); position: absolute; top: 0px; left: 0px; width: 9999px; height: 9999px; z-index: 1000001' onClick='top.location.href=window.location.href'> </div>"); } }

  29. Facebook – Ray of Light! All Facebook content is centered! We can push the content into the ray of light outside of the div. <iframe width=“21800px” height=”2500px” src =“http://facebook.com”> <script> window.scrollTo(10200, 0 ) ; </script>

  30. Facebook – Ray of Light!

  31. Let’s move on to some generic attacks!

  32. Courtesy of many if(top.location != self.location) { parent.location = self.location; }

  33. Double Framing! framed1.html framed2.html <iframe src=“fframed2.html”> <iframe src=“victim.com”>

  34. Descendent Policy Introduced in Securing frame communication in browsers . • (Adam Barth, Collin Jackson, and John Mitchell. 2009) Descendant Policy A frame can navigate only it’s decedents. framed1.html framed2.html top.location = self.location is always okay. <iframe src=“fframed2.html”> <iframe src=“victim.com”>

  35. Location Clobbering if (top.location != self.location) { top.location = self.location; } If top.location can be changed or disabled this code is useless. But our trusted browser would never let such atrocities happen… right?

  36. Location Clobbering IE 7: IE 7: var location = “clobbered”; Safari: window.__defineSetter__("location", function(){}); top.location is now undefined.  http://code.google.com/p/ browsersec/wiki/Part2#Arbitrary_ page_mashups_(UI_redressing)

  37. Asking Nicely • User can manually cancel any redirection attempt made by framebusting code. • Attacker just needs to ask… <script> window.onbeforeunload = function() { return ”Do you want to leave PayPal?"; } </script> <iframe src="http://www.paypal.com">

  38. Asking Nicely

  39. Not Asking Nicely • Actually, we don’t have to ask nicely at all. Most browser allows to cancel the relocation “programmatically”. var prevent_bust = 0 window.onbeforeunload = function() {kill_bust++ } setInterval(function() { if (kill_bust > 0) { kill_bust -= 2; window.top.location = 'http://no-content-204.com' } }, 1); <iframe src="http://www.victim.com"> http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing

  40. Restricted zones • IE 8: <iframe security=“restricted” src=“http://www.victim.com”> Javascript and Cookies disabled • Chrome (HTML5): <iframe sandbox src=“http://www.victim.com”> Javascript disabled (cookies still there) • IE 8 and Firefox: designMode = on (Paul Stone BHEU’10) Javascript disabled (more cookies) However, since cookies are disabled, many

  41. Reflective XSS filters • Internet Explorer 8 introduced reflective XSS filters: http://www.victim.com?var=<script> alert(‘xss’) If <script> alert(‘xss’); appears in the rendered page, the filter will replace it with <sc#pt> alert (‘xss’)

  42. Reflective XSS filters Can be used to target frame busting (Eduardo Vela ’09) Original <script> if(top.location != self.location) //framebust </ script> Request > http://www.victim.com?var=<script> if (top Rendered <sc#pt> if(top.location != self.location) Chrome’s XSS auditor, same problem.

  43. Is there any hope? Well, sort of…

  44. X-Frames-Options (IE8) • HTTP header sent on responses • Two possible values: DENY and SAMEORIGIN • On DENY, will not render in framed context. • On SAMEORIGIN, only render if top frame is same origin as page giving directive.

  45. X-Frames-Options • Good adoption by browsers (all but Firefox, coming in 3.7) • Poor adoption by sites (4 out of top 10,000, survey by sans.org) • Some limitations: per-page policy, no whitelisting, and proxy problems.

  46. Content Security Policy (FF) • Also a HTTP-Header. • Allows the site to specific restrictions/ abilities. • The frame-ancestors directive can specifiy allowed framers. • Still in beta, coming in Firefox 3.7

  47. Best for now (but still not good) <style>html { visibility: hidden }</style> <script> if (self == top) { document.documentElement.style.visibility = 'visible'; } else { top.location = self.location; } </script>

  48. … a little bit more. These sites (among others) do framembusting…

  49. … a little bit more. … but do these?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Myth Busting Cybe r Cla ims T he r e is mor e tha n one wa y to ma na ge a c ybe r c

Myth Busting Cybe r Cla ims T he r e is mor e tha n one wa y to ma na ge a c ybe r c

Myth Busting Cybe r Cla ims T he r e is mor e tha n one wa y to ma na ge a c ybe r c la im Spo nso re d By: Myth Busting Cybe r Cla ims T he re is more tha n one wa y to ma na g e a c ybe r c la im Visit www.a dvise

387 views • 21 slides
Surfin ng the f frame n et A frame is a complex condition on its

Surfin ng the f frame n et A frame is a complex condition on its

1. Frames 2. Shifting 3. Metonymy 4. Word formation 5. Conclusion 2 Whats a frame? Surfin ng the f frame n et A frame is a complex condition on its potential

162 views • 13 slides
Deck Deck Frame Frame DeckFrame Deck Frame is the utilization of VP Buildings

Deck Deck Frame Frame DeckFrame Deck Frame is the utilization of VP Buildings

Deck Deck Frame Frame DeckFrame Deck Frame is the utilization of VP Buildings economical materials combined with conventional B deck materials To be utilized with any type lightweight non-metal roofing system

215 views • 17 slides
Frame Relay Topologies and Designs Frame Relay Topologies and Design As we learned in the Frame

Frame Relay Topologies and Designs Frame Relay Topologies and Design As we learned in the Frame

Frame Relay Topologies and Designs Frame Relay Topologies and Design As we learned in the Frame Relay - Introduction and Concepts lesson, Frame Relay introduces some cost savings benefits over point-to-point leased lines. This lesson will

396 views • 14 slides
degrees 0 20 0 20 40 500 10 20 30 40 50 10 20 30 40 50 frame frame RMS

degrees 0 20 0 20 40 500 10 20 30 40 50 10 20 30 40 50 frame frame RMS

estimated camera position estimated camera rotation 500 80 60 40 degrees 0 20 0 20 40 500 10 20 30 40 50 10 20 30 40 50 frame frame RMS errors using prev (:) vs. model ( ) 60 50 RMS intensity error 40 30 20

717 views • 23 slides
Bias Busting Across the Center: A Model to Interrupt Bias and Promote Inclusion Modeled on

Bias Busting Across the Center: A Model to Interrupt Bias and Promote Inclusion Modeled on

Bias Busting Across the Center: A Model to Interrupt Bias and Promote Inclusion Modeled on Googles BiasBusting@Work and Carnegie Mellons Bias Busters @ CMU Learning Outcomes Understand the role that biases play, positively &amp;

637 views • 34 slides
S&amp;OP to IBP Busting the myth December 13th, 2017 Basel, Switzerland Ieke le Blanc

S&amp;OP to IBP Busting the myth December 13th, 2017 Basel, Switzerland Ieke le Blanc

S&amp;OP to IBP Busting the myth December 13th, 2017 Basel, Switzerland Ieke le Blanc Mentimeter 3. Enter the code 1. Grab your phone 2. Go to www.menti.com 10 09 84 and vote! 2 How would you describe IBP in three words? 3 S&amp;OP and

371 views • 22 slides
The Search for Answers Myth busting lessons for those creating new fuels from oil shale Myth:

The Search for Answers Myth busting lessons for those creating new fuels from oil shale Myth:

The Search for Answers Myth busting lessons for those creating new fuels from oil shale Myth: Oil is becoming less important Fact: Countries continue to strive to grow their economies... 14,000 USA 12,000 GDP (USD Billion PPP) 10,000

626 views • 20 slides
&quot;Lessons from Busting Organizational Silos&quot; Presented by: Tricia Broderick Santeon

&quot;Lessons from Busting Organizational Silos&quot; Presented by: Tricia Broderick Santeon

AT9 Concurrent Session 11/14/2013 3:45 PM &quot;Lessons from Busting Organizational Silos&quot; Presented by: Tricia Broderick Santeon Group Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904

575 views • 22 slides
Broker Busting B.A.S.I.C.s Making Our Highways Safer By Taking Trucking Cases Beyond

Broker Busting B.A.S.I.C.s Making Our Highways Safer By Taking Trucking Cases Beyond

Broker Busting B.A.S.I.C.s Making Our Highways Safer By Taking Trucking Cases Beyond The Driver And Motor Carrier To The Negligent Brokers Who Hire Them B. Keith Williams, Esq. with James R. Stocks, Esq. Keith Williams Law Group

292 views • 25 slides
Neighbourhood Planning Neighbourhood Planning W hat I w ill cover Myth busting the

Neighbourhood Planning Neighbourhood Planning W hat I w ill cover Myth busting the

Neighbourhood Planning Neighbourhood Planning W hat I w ill cover Myth busting the facts What are the challenges of developing a Neighbourhood Plan in Leeds? What is your role? What is the Councils role? Is a

290 views • 10 slides
Busting those myths! Gill Jones HMI Deputy Director, Education Policy @GillJonesOfsted May 2018

Busting those myths! Gill Jones HMI Deputy Director, Education Policy @GillJonesOfsted May 2018

Busting those myths! Gill Jones HMI Deputy Director, Education Policy @GillJonesOfsted May 2018 West Midlands, Ofsted Big Conversation May 2018 Slide 1 https://www.gov.uk/government/publications/inspecting-

719 views • 26 slides
Barrier Busting Task Force Background Formed in October 2017 in response to Broadband S

Barrier Busting Task Force Background Formed in October 2017 in response to Broadband S

Barrier Busting Task Force Background Formed in October 2017 in response to Broadband S takeholder Group report into barriers to deployment of infrastructure. Aim is to make it as cheap, quick and easy to deploy infrastructure as

202 views • 18 slides
Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud

Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud

Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud platform that lets organizations deliver amazing experiences and workflows to users on all connected devices . Pixels user input Confidential Why

540 views • 21 slides
Frame Relay Basic Configurations: Hub and Spoke Frame Relay Basic Hub and Spoke Configuration

Frame Relay Basic Configurations: Hub and Spoke Frame Relay Basic Hub and Spoke Configuration

Frame Relay Basic Configurations: Hub and Spoke Frame Relay Basic Hub and Spoke Configuration While we still have more lessons left to fully cover the major aspects of Frame Relay and its configuration, I wanted to include a couple of short,

435 views • 14 slides
Statistical Models for Frame-Semantic Parsing Dipanjan Das * Google Frame Semantics in NLP: A

Statistical Models for Frame-Semantic Parsing Dipanjan Das * Google Frame Semantics in NLP: A

Statistical Models for Frame-Semantic Parsing Dipanjan Das * Google Frame Semantics in NLP: A Workshop in Honor of Chuck Fillmore June 27, 2014 * Thanks to Desai Chen, Kuzman Ganchev, Karl Moritz Hermann, Andr Martins, Nathan Schneider, Noah

1.63k views • 152 slides
CS 3700 Networks and Distributed Systems The Web Client-Server Computing 2 99% of all

CS 3700 Networks and Distributed Systems The Web Client-Server Computing 2 99% of all

CS 3700 Networks and Distributed Systems The Web Client-Server Computing 2 99% of all distributed systems use client-server architectures! Today: look at the most popular client-server The Web The Web The Web has become a

1.57k views • 113 slides
Safety Data Sheet (SDS) OSHA HazCom Standard 29 CFR 1910.1200(g), Rev. 2012 and GHS Rev 03.

Safety Data Sheet (SDS) OSHA HazCom Standard 29 CFR 1910.1200(g), Rev. 2012 and GHS Rev 03.

FORM SDS-00077 REV 03 Page 1/6 Safety Data Sheet (SDS) OSHA HazCom Standard 29 CFR 1910.1200(g), Rev. 2012 and GHS Rev 03. Printing date 12/19/2014 Reviewed on 12/19/2014 * 1 Identification Product identifier Trade name: Trehalose Slides

258 views • 6 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Computer Security Course. Dawn Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song Example Application Consider a social networking site, GraceBook, that allows users to share happenings from

696 views • 54 slides
Creating Your Celestial Marriage Many years ago, after World War II, I was attending college.

Creating Your Celestial Marriage Many years ago, after World War II, I was attending college.

CREATING YOUR CELESTIAL MARRIAGE L ESSONS F ROM A D IAMOND R ING Aaron &amp; April Jacob BYU-Idaho Education Week 2015 Creating Your Celestial Marriage Many years ago, after World War II, I was attending college. There I met Donna Smith.

608 views • 38 slides
NRC Workshop on 10 CFR Part 61 Phoenix Hyatt Regency Hotel March 4, 2011 Afternoon Agenda 1:10

NRC Workshop on 10 CFR Part 61 Phoenix Hyatt Regency Hotel March 4, 2011 Afternoon Agenda 1:10

NRC Workshop on 10 CFR Part 61 Phoenix Hyatt Regency Hotel March 4, 2011 Afternoon Agenda 1:10 - 1:20p Introductory Remarks (L. Camper) 1:20 - 1:40 NRC Keynote Speaker (Charlie Miller) An Overview of the FSME LLW Program &amp; Public

944 views • 69 slides
Alternative Work and click on the Picture Tools Format tab. In the Format ribbon,

Alternative Work and click on the Picture Tools Format tab. In the Format ribbon,

Disability Risk and Alternative Work and click on the Picture Tools Format tab. In the Format ribbon, select Change Picture. Arrangements Nicholas Broten Michael Dworsky David Powell August 1, 2018 C ENTER for D ISABILITY R

851 views • 28 slides
FOOD SAFETY TRAINING FOR FARMER SUPPORT ORGANIZATIONS, PART 3 F O O D S A F E T Y C E R T I F I

FOOD SAFETY TRAINING FOR FARMER SUPPORT ORGANIZATIONS, PART 3 F O O D S A F E T Y C E R T I F I

An NGFN W An NGFN Webinar binar FOOD SAFETY TRAINING FOR FARMER SUPPORT ORGANIZATIONS, PART 3 F O O D S A F E T Y C E R T I F I C A T I O N O P T I O N S F O C U S : G A P A S A G R O U P April 25, 2017 Presentation Outline

657 views • 38 slides
Jaewook Shin , Jacqueline Chame and Mary Hall PACT02 September 23, 2002 USC USC UNIVERSITY

Jaewook Shin , Jacqueline Chame and Mary Hall PACT02 September 23, 2002 USC USC UNIVERSITY

Jaewook Shin , Jacqueline Chame and Mary Hall PACT02 September 23, 2002 USC USC UNIVERSITY UNIVERSITY UNIVERSITY UNIVERSITY OF SOUTHERN OF SOUTHERN CALIFORNIA CALIFORNIA Motivation Multimedia applications are becoming

424 views • 25 slides

More recommend