Let's first summarize the basic properties of a clickjacking attack:
- The attacker can load a page from your website in an iframe
- The attacker can have the user perform mouse operations on your webpage, i.e. clicking buttons, dragging and dropping content etc.
Let's just win the battle
We need to deal with clickjacking challenge before the page is loaded in an iFrame. This means that if there's nothing to click, or drag n' drop in the iFrame, we have removed the cause of the clickjacking attacks as we know them today. The script battle ends.
Fortunately, since the latest release of Firefox, all the major browsers (IE8, Safari, Opera, Firefox, Chrome) support a countermeasure specifically targeting clickjacking attempts: The X-Frame-Options HTTP header. This header instructs the browser whether a page can be included in a frame or not and takes the following form:
X-Frame-Options: sameorigin | deny
The sameorigin setting will allow framing of pages on the same domain — the deny setting will completely disable framing of a page. The nifty property of this countermeasure is that the browser itself will refuse to even load the page that's being framed — the battle of clever scripts is completely avoided.
So, check out the X-Frame-Options header and enable it for your site ASAP. Read more about it here.
Note: If you are dependent on other sites loading your pages in frames, X-Frame-Options will only cause problems for you.
Why the battle's not won tomorrow
Unfortunately, not all users are running an up to date browser — in fact, many users cannot upgrade their browser, as their employers are calling the shots on which versions to run in their corporate network. I experienced this when we made breaking changes for older web browsers in a web application at my employer. The users that experienced the most problems where the one's who where forced to use IE6 at work. Many of them reported that everything worked as expected from their computer at home. As a sidenote, the change was introduced only months before IE6 was EOL, so the issues should not have come as a complete surprise for the corporations running IE6.
We should urge both organizations and users to keep their browsers updated. Many modern attacks target the browser, and security on the web is now pretty much a function of both server side and client side security measures.
Preparing to win
The HTTP header approach is the preferred clickjacking countermeasure because it solves the root cause of the vulnerability. In addition, it is much easier to deploy to both new/old/legacy systems as it can easily be "wrapped" around existing web applications through web server configuration.
To enable the X-Frame-options header in IIS, go to the HTTP Headers section of your site config:
**UPDATE**: If you run an ASP.NET application on IIS7, you can also do this in web.config.
In Apache you can achieve the same thing by adding the following to your config file (httpd.conf or .htaccess, whichever you have access to, it requires the mod_headers module):
Header set X-Frame-Options "sameorigin"
Enable the header and make the world a safer place!