Our Blog

BlackHat presentation demo vids: SalesForce ClickJacking

Reading time ~2 min

[part 2 in a series of 5 video write-ups from our BlackHat 09 talk, summary here]

Goal

The premise behind this video was that while we are migrating more and more services into the cloud, the front-end through which the services are accessed as well as managed is (in many cases) a web application and we still have not figured out how to write secure web applications reliably. The implication is that business-critical services and infrastructure maybe at risk due to a web developer’s mistake.

To demonstrate this, we show Grossman and Hansen’s well-known Clickjacking attack being implemented against a big player in the SaaS and PaaS markets, SalesForce.

Background

SalesForce’s primary offering is a web-based CRM solution which they manage, and they also provide developers with the ability to write custom applications that run on the Force.com platform. They are a major player in the cloud universe with almost 60 000 customers, revenue over $1 billion and are a member of the S&P 500 index.

They have gone to great lengths to avoid common webapp pitfalls, but even they are susceptible to known attacks as shown in the following video.

Video

Our demonstration of Clickjacking focuses on the editing of a user’s task list, but the principle is easily carried over to any click-based task.

  1. The first 30 seconds of the video show how a regular user would click around the interface in order to remove an item from the list of tasks.
  2. We then persuade the user to visit our evil page which conducts the Clickjacking attack (this is made visible for demonstration purposes by making the SalesForce page slightly visible)
  3. [Insert click bait of choice: punching monkey, dancing pigs etc]
  4. Once the user has followed our trail of clicks, the task has been deleted.

Conclusion

People are starting to rely heavily on cloud-based services but the interface into these services is often a web application. With each new browser version and HTML-feature, web developers must re-examine their apps to determine if the risk has changed, and  our reliance on web interfaces for vital services seems misplaced at best. If a major cloud provider was vulnerable to a well-known attack such as Clickjacking, what hope do the smaller players have?

As if it weren’t already obvious, we note that XSS and CSRF attacks become much more than toy-attacks in a world were everything is controlled via a web-interface.