Today I performed some analysis on current usage trend of
X-FRAME-OPTIONS in top 500 websites of India (I used the sites listed here); this analysis
came out with interesting statistics;
- · 92% of the top Indian websites don’t use X-FRAME-OPTIONS at all.
- · Here the worth noticing point is that most of the 18% sites which use X-FRAME-OPTIONS are not of Indian origin, Alexa doesn't take into account the origin factor in enlisting top sites for a country; it sorts the websites based on number of hits.
- · This eventually leads to the fact that only 1% Indian sites are actually using X-FRAME-OPTIONS!!
- · Out of rest 99% top web sites (of Indian origin), half of them are relying on different frame-busting scripts to avoid this threat; and I will explain later that why scripts are not full proof, as there exists at least one way to break each of these scripts.
- · Rest half of those 99% are not using any techniques to avoid UI Redressing attacks!!
- To my surprise I even saw one web site using some strange value for this X-FRAME-OPTIONS header - ‘GOFORIT’, this too in a relatively popular telecom website.
This makes me very curious about
the security practices that Indian websites are following. Web security if one
of those areas which should not be overlooked; it should be given the amount of
attention it deserves.
<Here is A brief overview of UI Redressing Attack; I am not going deep as a lot of useful material is available on the internet for UI Redressing Attack.>
UI Redressing attack in its basic form can be visualized as –
So the attack lies in having user see a different interface
but actually interact with an altogether different interface. For instance in
the example above the user will think that he is claiming his gift but actually
he might be transferring his funds to some other bank account (of course if his
account is open in some other tab). The most common vehicle of delivering this
threat is to use iframe. Attacker embeds the webpage he wants to attack in his
iframe and makes it invisible while making his own content visible; when a
genuine user performs some actions on attacker’s page, the user is actually
performing actions on background page as well.
There exist various advance mechanisms using which an
attacker can manipulate user’s input on his page and force to send selective
input on the hidden page. I will be
writing about these advance exploitation mechanisms in a different article
probably.
Possible Impacts-
Attacker
can cause user to perform certain actions which he will not perform consciously;
example of such actions include transferring funds from his online bank
account, cancelling orders that he placed on some e commerce site or changing
delivery address corresponding to those orders etc; the list can be endless.
Safety measure
that websites are using to avoid this attack: FRAME-BUSTING-
Most of the websites today are using frame-busting
techniques to overcome this threat; frame-busting as the name indicates
involves detecting whether the page is being loaded in a iframe and then bust
this frame to come out!! Different scripts are being used to achieve
frame-busting in different sites.
How FRAME-BUSTING techniques\scripts can be circumvented-
There is a paper
published by couple of Stanford University Students which talks about how the
frame-busting scripts can be broken; this paper explains that eventually a way
exists to break almost each of the scripts that websites are using currently to
implement frame- busting.
Moving Towards HTTP Header: X-Frame-Options-
This is better solution in comparison to frame-busting scripts. This header restricts the possibility of being the page
framed; this header can have three possible values;
DENY-
This option means the page can never be framed by any page, even not by a page with the same origin.
This option means the page can never be framed by any page, even not by a page with the same origin.
SAMEORIGIN
-
This option means the page can be framed, but only by another page with the same origin.
This option means the page can be framed, but only by another page with the same origin.
Allow-From-
This option means the page can be framed, but only by the specified origin.
-ArchanaThis option means the page can be framed, but only by the specified origin.
No comments:
Post a Comment