web security: clickjacking · clickjacking when one principal tricks the user into interacting with...
TRANSCRIPT
![Page 1: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/1.jpg)
WEB SECURITY: CLICKJACKING
CMSC 414FEB 27 2018
![Page 2: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/2.jpg)
Misleading users• Browser assumes that clicks and keystrokes =
clear indication of what the user wants to do • Constitutes part of the user’s trusted path
• Attacker can meddle with integrity of this relationship in all sorts of ways
![Page 3: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/3.jpg)
Misleading users• Browser assumes that clicks and keystrokes =
clear indication of what the user wants to do • Constitutes part of the user’s trusted path
• Attacker can meddle with integrity of this relationship in all sorts of ways
• Recall the power of Javascript • Alter page contents (dynamically)• Track events (mouse clicks, motion, keystrokes)• Read/set cookies • Issue web requests, read replies
![Page 4: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/4.jpg)
Using JS to Steal Facebook Likes
Claim
Bait and switchUser tries to claim their free iPad, but
you want them to click your Like button
(Many of these attacks are similar to TOCTTOU vulnerabilities)
![Page 5: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/5.jpg)
Using JS to Steal Facebook Likes
Claim
Bait and switchUser tries to claim their free iPad, but
you want them to click your Like button
(Many of these attacks are similar to TOCTTOU vulnerabilities)
User intent
![Page 6: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/6.jpg)
Using JS to Steal Facebook Likes
Claim
Bait and switchUser tries to claim their free iPad, but
you want them to click your Like button
(Many of these attacks are similar to TOCTTOU vulnerabilities)
User intent Actual outcome
![Page 7: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/7.jpg)
ClickjackingWhen one principal tricks the user into
interacting with UI elements of another principal
An attack application (script) compromises the context integrity of another application’s User Interface when the user acts on the
UI
![Page 8: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/8.jpg)
ClickjackingWhen one principal tricks the user into
interacting with UI elements of another principal
An attack application (script) compromises the context integrity of another application’s User Interface when the user acts on the
UI
Context Integrity
1. Visual context: what a user should see right before the sensitive action. Ensuring this = the sensitive UI element and the cursor are both visible
2. Temporal context: the timing of a user action. Ensuring this = the user action at a particular time is what the user intended
![Page 9: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/9.jpg)
Compromising visual integrity of the target• Hide the target element
• CSS lets you set the opacity of an element to zero (clear)
![Page 10: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/10.jpg)
Compromising visual integrity of the target• Hide the target element
• CSS lets you set the opacity of an element to zero (clear)
PayTo: Bad guyFrom: VictimAmount: $1000
• Partially overlay the target • Or crop the parts you don’t want to show
![Page 11: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/11.jpg)
Compromising visual integrity of the target• Hide the target element
• CSS lets you set the opacity of an element to zero (clear)
PayTo: Bad guyFrom: VictimAmount: $1000
• Partially overlay the target • Or crop the parts you don’t want to show
To: CharityFrom: Nice personAmount: $10
![Page 12: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/12.jpg)
• Manipulating cursor feedback
Compromising visual integrity of the pointer
Claim
Actual cursor
![Page 13: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/13.jpg)
• Manipulating cursor feedback
Compromising visual integrity of the pointer
Claim
Actual cursorDisplayed cursor
![Page 14: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/14.jpg)
• Manipulating cursor feedback
Compromising visual integrity of the pointer
Claim Actual cursorDisplayed cursor
![Page 15: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/15.jpg)
Clickjacking to access a user’s webcam
![Page 16: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/16.jpg)
Some clickjacking defenses• Require confirmation for actions
• Annoys users
• Frame-busting: Website ensures that its “vulnerable” pages can’t be included as a frame inside another browser frame • So user can’t be looking at it with
something invisible overlaid on top… • …nor have the site invisible above
something else
![Page 17: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/17.jpg)
The attacker implements this by placing Twitter’s page in a “Frame”
inside their own page, otherwise they wouldn’t overlap
![Page 18: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/18.jpg)
Some clickjacking defenses• Require confirmation for actions
• Annoys users
• Frame-busting: Website ensures that its “vulnerable” pages can’t be included as a frame inside another browser frame
• So user can’t be looking at it with something invisible overlaid on top…
• …nor have the site invisible above something else
• Conceptually implemented with Javascript like if(top.location != self.location) top.location = self.location;(actually, it’s quite tricky to get this right)
• Current research considers more general approaches
![Page 19: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/19.jpg)
InContext Defense (recent research)
• A set of techniques to ensure context integrity for user actions
• Servers opt-in • Let the websites indicate their sensitive
UIs • Let browsers enforce context integrity
when users act on the sensitive UIs
![Page 20: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/20.jpg)
Ensuring visual integrity of pointer
• Remove cursor customization • Attack success: 43% -> 16%
![Page 21: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/21.jpg)
Ensuring visual integrity of pointer
• Lightbox effect around target on pointer entry • Attack success (freezing + lightbox):
2%
![Page 22: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/22.jpg)
Enforcing temporal integrity
• UI delay: after visual changes on target or pointer, invalidate clicks for a few milliseconds
• Pointer re-entry: after visual changes on target, invalidate clicks until pointer re-enters target
![Page 23: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/23.jpg)
Other forms of UI sneakiness• Along with stealing events, attackers can
use the power of Javascript customization and dynamic changes to mess with the user’s mind
• For example, the user may not be paying attention, so you can swap tabs on them
• Or they may find themselves “eclipsed”
![Page 24: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/24.jpg)
Browser in browser
![Page 25: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/25.jpg)
WHAT IS UNTRUSTWORTHY HERE?
![Page 26: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/26.jpg)
![Page 27: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/27.jpg)
WHAT IS UNTRUSTWORTHY HERE?
![Page 28: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/28.jpg)
![Page 29: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/29.jpg)
![Page 30: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/30.jpg)
![Page 31: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/31.jpg)
CLICKJACKING: EXPERIMENTS• Mechanical Turks
• $0.25 per participant to “follow the on-screen instructions and complete an interactive task.”
• Simulated attacks, simulated defenses
• 3251 participants
• Note: You must control for sloppy participation
• Excluded 370 repeat-participants
![Page 32: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/32.jpg)
CLICKJACKING: EXPERIMENTS• Control group 1
• “Skip ad” button
• No attack to trick the user
• Purpose: To determine the click rate we would hope a defense could achieve in countering an attack
• 38% didn’t skip the ad
• Control group 2
• “Allow” button to skip ad
• Purpose: An attempt to persuade users to grant access without tricking them
• 8% allowed (statistically indistinguishable from group 1)
![Page 33: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/33.jpg)
CLICKJACKING: EXPERIMENTS
![Page 34: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/34.jpg)
CLICKJACKING: EXPERIMENTS
![Page 35: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/35.jpg)
CLICKJACKING: EXPERIMENTS
![Page 36: WEB SECURITY: CLICKJACKING · Clickjacking When one principal tricks the user into interacting with UI elements of another principal An attack application (script) compromises the](https://reader030.vdocuments.us/reader030/viewer/2022040910/5e84925e84b86965140c2e82/html5/thumbnails/36.jpg)
CLICKJACKING: EXPERIMENTS