Nov 4, 2008

UI redress vulnerability

The hot trend that catched my interest in web application security is clickjacking a.k.a UI redress vulnerability.It is a vulnerability in the DOM model of web browsers.According to a bug reported in 2002 on mozilla - http://bugzilla.mozilla.org/show_bug.cgi?id=154957 where the browsers allow transparent iframes to be rendered.Most browsers do. So any crooked head use this idea to show an iframe which is transparent one "over" his site, he can make the visitors to click the buttons in the pseudo web pages.When the poor user clicks , he might be clcking on a advertisements.. (click frauds).The innocent user will be using the buttons in the malicious web page even though the site in front of him is urging him to do a harmless action ! The web page might be having different iframes... Now a days facebook apps, opensocial apps are common around the web.So we might be clicking hidden buttons on the hidden iframe!!
Some can spy on you .How ? Its simple. If we have a web cam,microphone , it can be accessed by adobe flash if we allow to do so.So if the site is having a hidden iframe and the useris unknowingly clicking the allow button to leak your personal world to web.Anyway adobe has resolved the issue in flash player 10.

http://www.adobe.com/support/security/advisories/apsa08-08.html

More details
http://ha.ckers.org/blog/20081007/clickjacking-details/

Solutions ?

1.window.top != window to inhibit rendering, or override window.top.location.
if if (top != self){ top.location.href= location.href} which is iframe-breaker

2.re-authentication on all ui actions (not practical!!)

More on Google's solution(by famous hacker Michal Zalewski )

http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016284.html

If you use Noscript or disable javascripts etc the clickjacking can be prevented.Even then most browsers wont disable IFRAMES.

More
http://www.gnucitizen.org/blog/more-advanced-clickjacking-ui-redress-attacks/
http://hackademix.net/2008/09/29/clickjacking-and-other-browsers-ie-safari-chrome-opera/
http://www.cgisecurity.org/2008/10/interview-jerem.html

No comments:

Post a Comment