Make profit with UI-Redressing attacks.
5 likes159,845 views
This document discusses how to profit from UI-redressing (changing the user interface in a browser). It describes server-side mitigations like X-Frame-Options headers. It recommends targeting CSRF-protected actions and pages with tokens. Various CSS techniques and exploitation methods are outlined, like simple clickjacking and fake captchas. The conclusion encourages profiting from bug bounties by imagining new attack techniques on sites without adequate protections.
Make profit with UI-Redressing attacks.
- 1. Make Profit with UI-Redressing AMol NAik http://amolnaik4.blogspot.com
- 2. Agenda UI-Redressing Server-Side Mitigations How to make Profit? What to Target? Tools to Hack CSS Basics Exploitation Techniques Conclusion
- 3. UI-Redressing Change User Interface in browser Victim clicks button on attacker site He/she actually clicking button on Vulnerable site Source: http://www.imperva.com/resources/glossary/clickjacking_ui-redressing.html
- 4. UI-Redressing Mostly neglected by vendors Why? – Need user interaction Browser dependancy Impact: Same as CSRF One click – GONE!! Bypass CSRF protections Exploit “Self-XSS” Cross-domain Content Extraction
- 5. Server-Side Mitigations X-Frame-Options Response Header Supported by most of the latest browsers Two possible values to use: DENY The page cannot be displayed in a frame, regardless of the site attempting to do so SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
- 6. Server-Side Mitigations Frame Bursting Code JavaScript Ensures the current frame is the most top level window Source: https://www.owasp.org/index.php/Clickjacking
- 7. How to make Profit? Bug Bounties Google Pays from $500 to $3133.7 XSS, CSRF are prime focus Name will be listed in Google Security Hall of Fame http://www.google.com/about/corporate/company/halloffame.html Facebook Starting from $500 XSS, CSRF, Open Redirect, Database Injection Name will be listed in Facebook WhiteHat http://www.facebook.com/whitehat
- 8. What to Target? CSRF protected actions Pages with tokens Self-XSS
- 9. Tools to Hack Browser I use Add-ons Clickjacking Defense – Declarative Security Created by Aditya k Sood Check for “X-Frame-Options” Firebug Many uses CSS editing On-the-Fly
- 10. CSS Basics Opacity Set Transparency for the element Top, Left Negative values shift elements out of the browser window Position Specifies the type of positioning method used for an element Static (default) - The box is a normal box. The 'top', 'right', 'bottom', and 'left' properties do not apply. Relative - The box's position is calculated according to the normal flow Absolute - The box's position is specified with the 'top', 'right', 'bottom', and 'left' properties Fixed - The box's position is calculated according to the 'absolute' model, but in addition, the box is fixed.
- 12. Exploitation Techniques Action with Single Click Technique: Simple Clickjacking Ex: Remove Google Books
- 13. Exploitation Techniques Action with 2 user clicks Technique: Fake Arithmetic Captcha Ex: Remove Google Orkut Service
- 14. Exploitation Techniques Single CSRF token Technique: Fake Captcha with SVG Masking Cross-Domain Content Extraction Ex: Facebook XHR
- 15. Exploitation Techniques Multiple CSRF tokens in source Technique: Drag-n-Drop with “view-source” Cross-Domain Content Extraction Ex: Facebook PoC
- 16. Exploitation Techniques Self-XSS Exploitation Technique: Drag-n-Drop Ex: Google Code XSS
- 17. Conclusion Profit & Fame Most of the sites didn’t implement protections Firefox still supports for “view-source” scheme Attack technique depends on target Imagination is only the limitation
- 18. References https://www.owasp.org/index.php/Clickjacking http://ui-redressing.mniemietz.de/uiRedressing.pdf http://html5sec.org/ http://blog.kotowicz.net/2011/07/cross-domain- content-extraction-with.html http://www.blog.fortitsecurity.com/2011/09/facebook- graph-api-access-token.html http://www.w3.org/TR/CSS2/visuren.html#positioning -scheme
- 19. Questions http://twitter.com/amolnaik4