Analysis of UI Redressing Attacks and Countermeasures Marcus Niemietz www.nds.rub.de Analysis of UI Redressing Attacks and Countermeasures Marcus Niemietz Place of birth: Castrop-Rauxel, Germany Email: [email protected] 25th January 2019 Ruhr-University Bochum Horst G¨ortz Institute for IT-Security Chair for Network and Data Security Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum First Supervisor: Prof. Dr. rer. nat. J¨org Schwenk Second Supervisor: Prof. Dr. rer. nat. Martin Johns www.nds.rub.de For the last seven years, I had the chance to speak at over 35 international IT security conferences. Moreover, I am part of a small team which has established a popular lecture about Web security (HackPra) at the Ruhr-University in Bochum, an own annual non-profit IT security conference (RuhrSec), and an IT security start-up company (Hackmanit). Since I have started IT security research in 2011, I had the opportunity to contact and work with amazing people resulting in a great friendship. Next to my family, I would like to thank (in alphabetical order): Abraham Aranguren, Thorsten Holz, Tilman Frosch, Robert Hansen, Mario Heiderich, Brad Hill, Jeremiah Grosmann, Martin Grothe, Vincent Immler, Krzysztof Ko- towicz, Christian Mainka, Giorgio Maone, Andreas Mayer, Vladislav Mladenov, Dominik Noß, David Ross, Juraj Somorovsky, Paul Stone, Karsten Tellmann, and Sandra Terstegge. I also want to explicitly thank all of my colleagues from Hackmanit and the Chair of Network and Data security. I would also like to thank my first advisor Prof. Dr. J¨org Schwenk and my second advisor Prof. Dr. Martin Johns. Thank you all for your valuable time. Bochum, 1st April 2019 Abstract UI Redressing (UIR) describes a set of powerful attacks which can be used to circumvent browser security mechanisms like sandboxing and the Same-Origin Policy. In essence, an attacker wants to lure a victim into performing actions out of context by commonly making use of social engineering techniques in combination with invisible elements and hijacked trustworthy events. The set of attacks includes techniques like manipulating the mouse cursor, stealing touch gestures, and maliciously reuse keystrokes. Introduced in 2008, clickjacking was the first UIR attack which made it possible to automatically hijack the camera respectively microphone of the victim by stealing a few left-clicks within a Flash-based browser game. This thesis analyzes fundamentals, attacks, and countermeasures of UIR in depth. In addition to well known techniques, new research results like case studies of new UIR attacks will be provided. As an important contribution to the fundamentals of UIR, the first extensive investigation about the targets of UIR attacks is provided. These targets are called trustworthy events in this thesis, which should not be confused with the concept of trusted events also known from Web security. Based on this investigation, three new UIR attack variants with a minimized visibility were introduced. Furthermore, an empirical study about the DOM-based Same- Origin Policy – perhaps the most important security mechanism for protecting Web applications – is given. Its aim to separate content from different origins can legally be bypassed by using trustworthy events. Therefore, an extensive evaluation is provided about this target of UIR attacks. By looking at UIR attack contributions, this thesis describes novel drag- and-drop attack variants, an SVG masking technique, tabnabbing to redress named windows, a scriptless attack to steal keystrokes, and inter alia browser- less attacks on Android systems that are based on tapjacking. As UIR defense contributions, window spoofing protection mechanisms, JSAgents as a practi- cal alternative to Content Security Policy, and browserless tapjacking defense mechanisms are presented. Zusammenfassung UI-Redressing (UIR) beschreibt eine umfangreiche Menge an Angriffen, die benutzt werden k¨onnen, um browserbasierte Sicherheitsmechanismen wie Sand- boxing und die Same-Origin Policy zu umgehen. In der Regel m¨ochte ein Angreifer das Opfer unter Verwendung von Social-Engineering Techniken in Kombination mit unsichtbaren Elementen und entf¨uhrten Trustworthy-Events dazu bringen, Aktionen auszuf¨uhren, die außerhalb des Kontextes liegen. Die Menge der Angriffe beinhaltet dabei Techniken wie die Manipulation des Mauszeigers, das Stehlen von Touch-Gesten und das b¨osartige Wiederverwen- den von Tastatureingaben. Im Jahr 2008 wurde Clickjacking als erster UIR- Angriff vorgestellt, der erlaubte nach einigen entf¨uhrten Mausklicks innerhalb eines Flash-basierten Browserspiels einen automatischen Zugriff auf die Kamera und das Mikrofon des Opfers zu erhalten. In dieser Arbeit werden auf UIR basierende Grundlagen, Angriffe und Gegen- maßnahmen detailliert analysiert. Dar¨uber hinaus werden neben bekannten Angriffen mitunter neue Forschungsergebnisse aus bspw. Fallstudien ¨uber neue UIR-Angriffe er¨ortert. Als ein wichtiger Beitrag zu den Grundlagen von UIR wird die erste umfangre- iche Untersuchung ¨uber die Ziele von UIR-Angriffen vorgestellt. Diese Ziele wer- den in dieser Arbeit Trustworthy-Events genannt, so dass diese von dem Web- sicherheitskonzept der Trusted-Events abgegrenzt werden k¨onnen. Aufgrund dieser Untersuchungen konnte das Konzept von Trusted-Events ¨uberlistet und drei neue Varianten von UIR-Angriffen, mit einer minimalisierten Sichtbarkeit, eingef¨uhrt werden. Dar¨uber hinaus wird eine empirische Studie ¨uber die DOM basierte Same-Origin Policy, als der vermutlich wichtigste Sicherheitsmechanis- mus von Webapplikationen, beschrieben. Dessen Ziel Inhalte von verschiedenen Herk¨unften zu separieren kann mit der Hilfe von Trustworthy-Events umgangen werden. Aus diesem Grund wurde eine umfangreiche Untersuchunguber ¨ dieses Ziel von UIR-Angriffen durchgef¨uhrt. Im Hinblick auf die Beitr¨agezu UIR-Angriffen werden in dieser Arbeit neuar- tige Drag-and-Drop Angriffsvarianten, Maskierungen mit der Hilfe von SVGs, Tabnabbing und das Umadressieren von benannten Fenstern, skriptlose Angriffe zum Stehlen von Tastatureingaben, sowie unter anderem browserlose Angriffe auf Android-Systeme die auf Tapjacking basieren, beschrieben. Als Beitr¨age zu UIR-Gegenmaßnahmen werden Pr¨aventionsmaßnahmen gegen die Manip- ulation von Browserfenstern, JSAgents als praktische Alternative zur Content Security Policy und browserlose Abwehrmechanismen gegen Tapjacking pr¨asen- tiert. Contents I. Thesis Introduction 1 1. Outline, Contributions, and Publications 2 1.1. Thesis Outline and Contributions .................. 3 1.2. Publications .............................. 5 II. UI Redressing Fundamentals 8 2. Previously Known Fundamentals 9 2.1. Hypertext Transfer Protocol ..................... 9 2.2. Transport Layer Security ...................... 11 2.3. Languages ............................... 11 2.4. Other Attack Techniques ...................... 17 2.5. Cursor ................................. 20 3. Thesis Contributions to Fundamentals 22 3.1. UI Redressing and Trustworthy Events ............... 22 3.2. Same-Origin Policy: Evaluation in Modern Browsers ....... 39 III. UI Redressing Attacks 63 4. Previously Known Attacks 64 4.1. Classic Clickjacking ......................... 65 4.2. Likejacking and Sharejacking .................... 69 4.3. Cursorjacking ............................. 70 4.4. Cookiejacking ............................. 70 4.5. Filejacking ............................... 71 4.6. Double Clickjacking ......................... 72 4.7. Nested Clickjacking .......................... 73 4.8. Drag-and-Drop Operations ..................... 73 4.9. Strokejacking ............................. 74 4.10. Other Clickjacking Techniques ................... 75 5. Thesis Contributions to Attacks 78 5.1. Drag-and-Drop Attacks ....................... 78 5.2. SVG Masking ............................. 81 5.3. Tabnabbing: Attacking Named Windows .............. 83 5.4. Scriptless Attacks: SVG-based keylogger .............. 84 5.5. Browserless Attacks: Tapjacking .................. 87 5.6. Study: Router Web Security Evaluation Revisited ........ 92 i IV. UI Redressing Defense Mechanisms 101 6. Previously Known Defense Mechanisms 102 6.1. JavaScript-based Frame Buster Overview .............102 6.2. Frame Busting ............................103 6.3. Randomization to Detect Clickjacking Campaigns ........114 6.4. X-Frame-Options ...........................114 6.5. Content Security Policy .......................117 6.6. NoScript ................................121 7. Thesis Contributions to Defenses 124 7.1. Spoofing Protection .........................124 7.2. JSAgents: A Practical Alternative to CSP .............125 7.3. Browserless Tapjacking Defense Mechanisms ............133 V. Thesis Final Part 136 8. Conclusions and Outlook 137 9. Appendix 139 10.Bibliography 141 List of Tables 157 List of Figures 158 ii Part I. Thesis Introduction 1 1 Outline, Contributions, and Publications For being such an underestimated attack, UI redressing produces surprising financial consequences: most notably, it prevents Paypal and other payment processors from embedding “one-click-pay” buttons in vendors’ Web pages. Current browser-built-in countermeasures, aimed to restrict cross-origin documents nesting, just can’t solve this problem. Giorgio Maone, InformAction The current era shows that a company like Alphabet could generate a profit of over $27 billion in 2017 by primary using Web technologies.1 This