Binary.com ClickJacking Vulnerability — Exploiting HTML5 Security Features

Are you aware of any (private) bug bounty programs? I would love to get an invite. Please get in touch with me: ameerassadi@protonmail.com

Introduction:

Modern Web Applications nowadays are relaying on a lot of technologies where typical web applications vulnerabilities are hard to find (eg. Clickjacking is an ABC security bug) but bug hunters are always the best!

Binary.com is one of the oldest and most respected names in online binary trading, Using Binary.com, customers can trade currencies, indices, stocks and commodities 24/7.

Binary.com is owned and operated by the Binary Ltd. group of companies. In the UK and Isle of Man, clients trade through Binary (IOM) Ltd. In the European Union (except UK), they trade through Binary (Europe) Ltd and Binary Investments (Europe) Ltd. In the rest of the world, they trade through Binary (C.R.) S.A.

The bug:

While Doing Pentesting/BugHunting I aslo love to test subdomains not only the mine site so i started testing ticktrade.binary.com subdomain and found that’s not protected against clickjacking vulnerability neither with the typical “X-Frame-Options” nor with the JS frame busting technique that means a malicious attacker capable of iframing the whole service and tricking the end-users to perform unwanted actions!

So I have Reported this vulnerability to Binary.com with this PoC:

<html>
<body>
<iframe src="https://ticktrade.binary.com/" width=600 height=400>
<p>Your browser does not support iframes.</p>
</iframe>
</body>
</html>

then i got this reply from security team in the same day

and after two day’s i received reply that the issue has been fixed.

i’m always love to bypass the resolved issue, now comes the fun bit.

i started looking how the security team fixed this vulnerability i mean if the vulnerability patched by adding X-Frame-Options or using JS frame busting technique and got it, the team uses JS frame busting technique to patch this vulnerability so let’s see how i bypassed this patch by Exploiting HTML5 Security Features Sandboxed Iframes

What is Sandboxed iframes?

The sandbox attribute enables an extra set of restrictions for the content in the iframe. When the sandbox attribute is present, and it will:

  • Treat the content as being from a unique origin
  • Block form submission
  • block script execution
  • Disable APIs
  • Prevent links from targeting other browsing contexts
  • Prevent content from using plugins through <embed>, <object>, <applet>, or other
  • Prevent the content to navigate its top-level browsing context
  • Block automatically triggered features (such as automatically playing a video or automatically focusing a form control)

Attack Scenario:

Iframing the Settings page or any other sensitive page with a sandboxed iframe to prevent redirecting to top window and allow scripts to be running, fooling the users to do unwanted actions.

the final bypassing PoC:

<html>
<body>
<iframe
sandbox="allow-modals allow-scripts allow-forms allow-popups allow-same-origin"
src="http://ticktrade.binary.com" width=600 height=400>
<p>Bypassed By @AmeerAssadi.</p>
</iframe>
</body>
</html>

Reward:

Binary Security Team rewarded me with a bounty and added my name on there Hall of Fame page, Thanks Binary!

Timeline

  • Monday, 23rd May 2016 — Issue Reported
  • Monday, 23rd May 2016 — Issue Confirmed & Triaged
  • Wednesday, 25th May 2016 — Issue Resolved and team asks me to verify the fix
  • Wednesday, 25th May 2016 — Patch bypass sent
  • Wednesday, 8th June 2016 — Issue Patched