Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gustav Rydstedt, Elie Burzstein, Dan Boneh, Collin Jackson

Published byAvery Berry Modified over 10 years ago

Similar presentations

Presentation on theme: "Gustav Rydstedt, Elie Burzstein, Dan Boneh, Collin Jackson"— Presentation transcript:

1 Gustav Rydstedt, Elie Burzstein, Dan Boneh, Collin Jackson
Framebusting in the Wild A survey of framebusting code used at popular sites Gustav Rydstedt, Elie Burzstein, Dan Boneh, Collin Jackson

2 What is frame busting?

3 What is frame busting? <iframe src=“http://www.google.com”>
HTML allows for any site to frame any URL with an IFRAME (internal frame) <iframe src=“ Ignored by most browsers </iframe>

4 What is frame busting? Frame busting are techniques for preventing framing by the framed site.

5 What is framebusting? Common frame busting code is made up of:
a conditional statement a counter action if (top != self) { top.location = self.location; }

6 Why frame busting?

7 Primary: Clickjacking Jeremiah Grossman and Robert Hansen, 2008

8 Clickjacking 2.0 (Paul Stone, BHEU ‘10)
Utilizing drag and drop: Grab data off the page (including source code, form data) Get data into the page (forms etc.) Fingerprint individual objects in the framed page

9 Survey Idea: Grab frame busting from Alexa Top-500 and all US banks.
Analyze code. Used semi-automated crawler based on HTMLUnit. Manual work to trace through obfuscated and packed code.

10 Obfuscation/Packing

11 Survey Sites Framebusting Top 10 60% Top 100 37% Top 500 14%

12 Conditional Statements
Survey Conditional Statements if (top != self) if (top.location != self.location) if (top.location != location) if (parent.frames.length > 0) if (window != top) if (window.top !== window.self) if (window.self != window.top) if (parent && parent != window) if (parent && parent.frames && parent.frames.length>0) if((self.parent&& !(self.parent===self))&& (self.parent.frames.length!=0))

13 Counter-Action Statements
top.location = self.location top.location.href = document.location.href top.location.href = self.location.href top.location.replace(self.location) top.location.href = window.location.href top.location.replace(document.location) top.location.href = "URL" document.write(’’) top.location = location top.location.replace(’URL’) top.location.href = document.location top.location.replace(window.location.href) top.location.href = location.href self.parent.location = document.location parent.location.href = self.document.location top.location.href = self.location top.location = window.location top.location.replace(window.location.pathname) window.top.location = window.self.location setTimeout(function(){document.body.innerHTML=’’;},1); window.self.onload = function(evt){document.body.innerHTML=’’;} var url = window.location.href; top.location.replace(url)

14 All frame busting code we found was broken.

15 Let’s check out some code.

16 Courtesy of Walmart if (top.location != location) { if(document.referrer && document.referrer.indexOf("walmart.com") == -1) { top.location.replace(document.location.href); }

17 Error in Referrer Checking
From <iframe src=“ Limit use of indexOf()…

18 Courtesy of if (window.self != window.top && !document.referrer.match( /https?:\/\/[^?\/]+\.nytimes\.com\//)) { self.location = top.location; }

19 Error in Referrer Checking
From <iframe src=“ Anchor your regular expressions.

20 Courtesy of if (self != top) { var domain = getDomain(document.referrer); var okDomains = /usbank|localhost|usbnet/; var matchDomain = domain.search(okDomains); if (matchDomain == -1) { //frame bust }

21 Error in Referrer Checking
From <iframe src=“ Don’t make your regular expressions too lax.

22 Strategic Relationship?
Norweigan State House Bank

23 Strategic Relationship?
Bank of Moscow

24 Courtesy of try{ A=!top.location.href }catch(B){} A=A&& !(document.referrer.match(/^https?:\/\/[-az09.] *\.google\.(co\.|com\.)? [a-z] +\/imgres/i))&& !(document.referrer.match(/^https?:\/\/([^\/]*\.)? (myspace\.com| myspace\.cn| simsidekick\.com| levisawards\.com| digg\.com)\//i)); if(A){ //Framebust }

25 The people you trust might not frame bust
Google Images does not framebust.

26 Referrer = Funky Stuff Many attacks on referrer: washing/changing
Open redirect referrer changer HTTPS->HTTP washing Can be hard to get regular expression right (apparently) “Friends” cannot be trusted

27 Facebook Dark Layer

28 Courtesy of Facebook if (top != self) { try {
Facebook deploys an exotic variant: if (top != self) { try { if (top.location.hostname.indexOf("apps") >= 0) throw 1; } catch (e) { window.document.write("<div style= 'background: black; opacity: 0.5; filter: alpha(opacity = 50); position: absolute; top: 0px; left: 0px; width: 9999px; height: 9999px; z-index: ' onClick='top.location.href=window.location.href'> </div>"); }

29 Facebook – Ray of Light! All Facebook content is centered! We can push the content into the ray of light outside of the div. <iframe width=“21800px” height=”2500px” src =“ <script> window.scrollTo(10200, 0 ) ; </script>

30 Facebook – Ray of Light!

31 Let’s move on to some generic attacks!

32 Courtesy of many if(top.location != self.location) { parent.location = self.location; }

33 Double Framing! framed1.html <iframe src=“fframed2.html”>
<iframe src=“victim.com”>

34 Descendent Policy Descendant Policy
Introduced in Securing frame communication in browsers. (Adam Barth, Collin Jackson, and John Mitchell. 2009) top.location = self.location is always okay. Descendant Policy A frame can navigate only it’s decedents. framed1.html <iframe src=“fframed2.html”> framed2.html <iframe src=“victim.com”>

35 Location Clobbering if (top.location != self.location) {
} If top.location can be changed or disabled this code is useless. But our trusted browser would never let such atrocities happen… right?

36 IE 7: Safari: Location Clobbering var location = “clobbered”; IE 7:
window.__defineSetter__("location", function(){}); top.location is now undefined.  IE 7: browsersec/wiki/Part2#Arbitrary_ page_mashups_(UI_redressing)

37 Asking Nicely User can manually cancel any redirection attempt made by framebusting code. Attacker just needs to ask… <script> window.onbeforeunload = function() { return ”Do you want to leave PayPal?"; } </script> <iframe src="

38 Asking Nicely

39 Not Asking Nicely Actually, we don’t have to ask nicely at all. Most browser allows to cancel the relocation “programmatically”. var prevent_bust = 0 window.onbeforeunload = function() {kill_bust++ } setInterval(function() { if (kill_bust > 0) { kill_bust -= 2; window.top.location = ' } }, 1); <iframe src="

40 Restricted zones IE 8: <iframe security=“restricted” src=“ Javascript and Cookies disabled Chrome (HTML5): <iframe sandbox src=“ Javascript disabled (cookies still there) IE 8 and Firefox: designMode = on (Paul Stone BHEU’10) Javascript disabled (more cookies) However, since cookies are disabled, many attacks are less effective (no session).

41 Reflective XSS filters
Internet Explorer 8 introduced reflective XSS filters: alert(‘xss’) If <script> alert(‘xss’); appears in the rendered page, the filter will replace it with <sc#pt> alert(‘xss’)

42 Reflective XSS filters
Can be used to target frame busting (Eduardo Vela ’09) Original <script> if(top.location != self.location) //framebust </script> Request > if (top Rendered <sc#pt> if(top.location != self.location) Chrome’s XSS auditor, same problem.

43 Is there any hope? Well, sort of…

44 X-Frames-Options (IE8)
HTTP header sent on responses Two possible values: DENY and SAMEORIGIN On DENY, will not render in framed context. On SAMEORIGIN, only render if top frame is same origin as page giving directive.

45 X-Frames-Options Good adoption by browsers (all but Firefox, coming in 3.7) Poor adoption by sites (4 out of top 10,000, survey by sans.org) Some limitations: per-page policy, no whitelisting, and proxy problems.

46 Content Security Policy (FF)
Also a HTTP-Header. Allows the site to specific restrictions/abilities. The frame-ancestors directive can specifiy allowed framers. Still in beta, coming in Firefox 3.7

47 Best for now (but still not good)
<style>html { visibility: hidden }</style> <script> if (self == top) { document.documentElement.style.visibility = 'visible'; } else { top.location = self.location; } </script>

48 These sites (among others) do framembusting…
… a little bit more. These sites (among others) do framembusting…

49 … a little bit more. … but do these?

50 No, they generally don’t…
Site URL Framebusting Facebook YES MSN NO GMail Baidu Twitter MegaVideo Tube8 PayPal USBank First Interstate Bank NewEgg MetaCafe RenRen MySpace VKontakte WellsFargo NyTimes Redirect E-Zine Articles

51 Summary All framebusting code out there can be broken across browsers in several different ways Defenses are on the way, but not yet widely adopted Relying on referrer is difficult If JS is disabled, don’t render the page. Framebust your mobile sites!

52 Questions?

Download ppt "Gustav Rydstedt, Elie Burzstein, Dan Boneh, Collin Jackson"

Similar presentations

CS193H: High Performance Web Sites Lecture 20: Vol 2 – Don't Scatter Inline Scripts Steve Souders Google

CS193H: High Performance Web Sites Lecture 20: Vol 2 – Don't Scatter Inline Scripts Steve Souders Google
CS193H: High Performance Web Sites Lecture 19: Vol 2 – Load Scripts Without Blocking Steve Souders Google

CS193H: High Performance Web Sites Lecture 19: Vol 2 – Load Scripts Without Blocking Steve Souders Google
CS193H: High Performance Web Sites Lecture 10: Rule 6 – Put Scripts at the Bottom Steve Souders Google

CS193H: High Performance Web Sites Lecture 10: Rule 6 – Put Scripts at the Bottom Steve Souders Google
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Search Engine Optimization (SEO) Guideline Powered by DonorCommunity TM DonorCommunity eLearning Series v1.2, February 2012 Search Engine Optimization.

Search Engine Optimization (SEO) Guideline Powered by DonorCommunity TM DonorCommunity eLearning Series v1.2, February 2012 Search Engine Optimization.
JQuery & SharePoint San Antonio Users Group – September Meeting September 22, 2009 Microsoft SharePoint Server.

JQuery & SharePoint San Antonio Users Group – September Meeting September 22, 2009 Microsoft SharePoint Server.
Why Isn't This Button Working? JavaScript and Accessibility in Web Development.

Why Isn't This Button Working? JavaScript and Accessibility in Web Development.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Clickjacking CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.

Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.

Similar presentations

Ads by Google