ConLenL SecurlLy ollcy uemo 16 CuLllne xSS Sesslon Pl[acklng Cllck[acklng Wrap up 17 Sesslon Pl[acklng Public WiFi Network mybank.com vlcum Auacker Internet 1) V|cnm goes to mybank.com v|a n11 18 Sesslon Pl[acklng Public WiFi Network mybank.com vlcum Auacker Internet 2) Auacker sn|s the pub||c w|h network and stea|s the ISLSSICNID 19 Sesslon Pl[acklng Public WiFi Network mybank.com vlcum Auacker Internet 3) Auacker uses the sto|en ISLSSICNID to access the v|cnm's sess|on 20 Secure llag Lnsures LhaL Lhe Cookle ls only senL vla SSL Congure ln web.xml as of ServleL 3.0 <session-config> <cookie-config> <secure>true</secure> </cookie-config> </session-config> rogrammaucally Cookie cookie = new Cookie("mycookie", "test"); cookie.setSecure(true); 21 SLrlcL-1ransporL-SecurlLy 1ells browser Lo only Lalk Lo Lhe server vla P11S llrsL ume your slLe accessed vla P11S !"# Lhe header ls used Lhe browser sLores Lhe cerucaLe lnfo SubsequenL requesLs Lo P11 auLomaucally use P11S SupporLed browsers lmplemenLed ln llrefox and Chrome CurrenLly an lL1l dra
Strict-Transport-Security: max-age=seconds [; includeSubdomains] 22 CuLllne xSS Sesslon Pl[acklng Cllck[acklng Wrap up 23 Cllck[acklng 1rlcks Lhe user lnLo cllcklng a hldden buuon user has no ldea Lhe buuon was cllcked Works by conceallng Lhe LargeL slLe slLe vlcum slLe placed ln an lnvlslble lframe Auacker slLe overlays Lhe vlcum slLe lmage source: hup://seclab.sLanford.edu/websec/framebusung/framebusL.pdf
Cllck[acklng uemo 23 Cllck[acklng Code uL Lhe vlcum ln an lnvlslble lframe
26 Adobe llash Lxample Cllck[acklng dlscovered by !eremlah Crossman & 8oberL "8snake" Pansen Showed how Lo use llash Lo spy on users use Cllck[acklng Lo Lrlck users lnLo enabllng Lhe mlc and camera vla llash 27 lacebook Lxample 1he "besL passporL appllcauon re[ecuon ln hlsLory" became popular on lacebook 28 lacebook Llke Code <div style="overflow:hidden; width:10px; height:12px; filter:alpha(opacity=0); -moz-opacity:0.0; -khtml-opacity: 0.0; opacity:0.0; position:absolute;" id="icontainer">
Llke buuon moves wlLh cursor Why Llke[acklng? Send vlcums Lo evll slLes wlLh malware 1rlck users lnLo slgnlng up for unwanLed subscrlpuon servlces urlve Lramc Lo slLes Lo lncrease ad revenue Adscend Medla Alleged Lo have made up Lo $1.2 mllllon per monLh vla Cllck[acklng lacebook and WashlngLon SLaLe led lawsulLs agalnsL Lhem ln !anuary 2012 33 Pow Lo llx? use x-lrame-Cpuons P11 8esponse Peader supporLed by all recenL browsers 1hree opuons uLn? revenLs any slLe from framlng Lhe page SAMLC8lCln Allows framlng only from Lhe same orlgln ALLCW-l8CM $%&'&" Allows framlng only from Lhe specled $%&'&" Cnly supporLed by lL (based on my Lesung) llrefox 8ug 690168 - "1hls was an unlnLenuonal overslghL" 36 !ava Code uLn? response.addHeader("X-Frame-Options", "DENY");
ALLCW-l8CM String value = "ALLOW-FROM http://www.trustedsite.com:8080"; response.addHeader("X-Frame-Options", value); 37
x-lrame-Cpuons uemo 38 uslng x-lrame-Cpuons ?ou mlghL noL wanL Lo use lL for Lhe enure slLe revenLs leglumaLe framlng of your slLe (l.e. Coogle lmage Search) lor sensluve Lransacuons use SAMLC8lCln And LesL Lhoroughly lf Lhe page should never be framed 1hen use uLn? 39 lrame 8usung Code WhaL abouL older browsers LhaL don'L supporL x-lrame-Cpuons? !avaScrlpL code llke Lhls ls commonly used if (top != self) top.location = self.location; noL full-proof varlous Lechnlques can be used Lo bypass frame busung code 40 Some Anu-lrame 8usung 1echnlques lL <lframe securlLy=resLrlcLed> ulsables !avaScrlpL wlLhln Lhe lframe on8eforeunload - 204 llushlng 8epeaLedly send a 204 (no ConLenL) response so Lhe on8eforeunload handler geLs canceled 8rowser xSS lllLers Chrome xSSAudlLor lLer cancels lnllne scrlpLs lf Lhey are also found as a parameLer <iframe src="http://www.victim.com/?v=if(top+!%3D +self)+%7B+top.location%3Dself.location%3B+%7D"> 41 CuLllne xSS Sesslon Pl[acklng Cllck[acklng Wrap up 42 Summary use Lhe followlng P11 8esponse Peaders ! SeL-Cookle PupCnly ! x-xSS-roLecuon: 1, mode=block ! SeL-Cookle Secure ! SLrlcL-1ransporL-SecurlLy ! x-lrame-Cpuons: SAMLC8lCln lan Lo use Lhe followlng ! ConLenL SecurlLy ollcy 43 44