Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Nov 12, 2010

Defeating Clickjacking

The clickjacking vulnerability is receiving an increasing amount of attention. There has been some interesting advances in exploitation techniques, as explained in this video: Next generation clickjacking by Paul Stone at the Blackhat Europe 2010 security conference.

Let's first summarize the basic properties of a clickjacking attack:
  1. The attacker can load a page from your website in an iframe
  2. The attacker can have the user perform mouse operations on your webpage, i.e. clicking buttons, dragging and dropping content etc.
If we can prevent a webpage from being embedded in an iFrame, the clickjacking vulnerability will be mitigated. Framebusting is the traditional approach to prevent clickjacking attacks — a javascript embedded in a webpage to detect framing and try to "bust out" of the frame.  However, a recent study by researchers at Stanford summarizes common framebusting efforts and concludes that framebusting fails to mitigate the risk.

Framebusting is by design a reactive measure, ineffective until the browser is already loading the page in an iframe. This gives the attacker the upper hand! You'll have to put your framebusting script out there on the web, giving an attacker plenty of time to figure out a way to detronize your script. This battle of clever scripts between the good guys and bad guys can probably go on forever.  That's why we want to thwart this attack by design, not through implementation.

Let's just win the battle
We need to deal with clickjacking challenge before the page is loaded in an iFrame. This means that if there's nothing to click, or drag n' drop in the iFrame, we have removed the cause of the clickjacking attacks as we know them today.  The script battle ends.

Fortunately, since the latest release of Firefox, all the major browsers (IE8, Safari, Opera, Firefox, Chrome) support a countermeasure specifically targeting clickjacking attempts:  The X-Frame-Options HTTP header. This header instructs the browser whether a page can be included in a frame or not and takes the following form:

X-Frame-Options: sameorigin | deny

The sameorigin setting will allow framing of pages on the same domain — the deny setting will completely disable framing of a page. The nifty property of this countermeasure is that the browser itself will refuse to even load the page that's being framed — the battle of clever scripts is completely avoided.

So, check out the X-Frame-Options header and enable it for your site ASAP. Read more about it here.

Note: If you are dependent on other sites loading your pages in frames, X-Frame-Options will only cause problems for you.

Why the battle's not won tomorrow
Unfortunately, not all users are running an up to date browser — in fact, many users cannot upgrade their browser, as their employers are calling the shots on which versions to run in their corporate network. I experienced this when we made breaking changes for older web browsers in a web application at my employer. The users that experienced the most problems where the one's who where forced to use IE6 at work. Many of them reported that everything worked as expected from their computer at home. As a sidenote, the change was introduced only months before IE6 was EOL, so the issues should not have come as a complete surprise for the corporations running IE6.

We should urge both organizations and users to keep their browsers updated. Many modern attacks target the browser, and security on the web is now pretty much a function of both server side and client side security measures.

Preparing to win
The HTTP header approach is the preferred clickjacking countermeasure because it solves the root cause of the vulnerability. In addition, it is much easier to deploy to both new/old/legacy systems as it can easily be "wrapped" around existing web applications through web server configuration.

To enable the X-Frame-options header in IIS, go to the HTTP Headers section of your site config:

**UPDATE**: If you run an ASP.NET application on IIS7, you can also do this in web.config.

In Apache you can achieve the same thing by adding the following to your config file (httpd.conf or .htaccess, whichever you have access to, it requires the mod_headers module):

Header set X-Frame-Options "sameorigin"

Enable the header and make the world a safer place!


  1. X-Frame-Options not X-Frames-Options

    1. Ugh, that was a horrible but consistent typo. Thanks for pointing that out.

  2. كما تقدم المؤسسة خدمة تطهير عفش منزلك خدمة تطهير بيوت بأفضل الأجهزة كخدمات إضافية مع خدمة نقل الأثاث ليتم نقل عفش منزلك بحالة نظافة تامة وبأجود وأفضل ما ترغب في، تتواصل معنا لتبدأ نقل أثاث أثاث منزلك وبأفضل اختيارات النقل المتوفرة وبأقل أسعار مؤسسات النقل، نحاول طول الوقت لتقديم أرقى الخدمات لعملائنا الكرام.
    شركه نقل عفش من الرياض الى ابها
    شركه نقل اثاث من الرياض الى ابها
    شركه نقل عفش

  3. Sample Assignment bestows over the college going students with online assignment help. It is a consultancy possessing academic experts providing a number of subject-specific assignment helps. Marketing assignment help, economics assignment help, MATLAB assignment Help, MySQL assignment help, management assignment help, etc. are a few to name. The assignment help packages that they supply the students with ensure the students receive an HD or a full money back. With their assignment consultation services, the students can learn by exposing themselves to out-of-the-box learning when it comes to module related studies. For the quality of the in-depth research that is conducted before the experts at Sample Assignment lay their hands on a specific assignment, the prices are kept very close to the ground while the company has its head touching the sky. They offer services in Essays, CDRs, Resumes, Thesis, Research Proposals, Research Papers, Dissertations, etc. Be it any of the above, they provide ready to study from assignment solutions to the students who work-save in order to pay for the service and the online assignment services provider works on the motive of giving out value for every coin a particular student pays for the online assignment help Australia. With their Partial Payment and the optional feature of Countless Revisions, they have earned themselves two consecutive years of recognition.




  4. it seems really amazing. i would really like to know more about it.

  5. Here we provide the all latest exams results notifications and job alerts in our website. Its is a best platform for students and those who are searching for sarkari job notification directly visit our site to get job notification,admit card,syllabus,answer key, results at latest exam result site .

  6. This article makes life happy, bright and gives good ideas.
    Sa gaming สมัคร

  7. https://hmzapc.com/purevpn-torrent-downloass/
    This is so great I don’t need to make any revisions to it at all.

  8. https://crackchkey.com/spyhunter-5-crack/
    You are so creative—I always love getting your perspective on things.

  9. I think this is one of the great posts on this topic. This post is really great, very efficiently written information. Keep up the good work and keep us sharing these kinds of informative posts with us. I will also try to check out your other posts.
    Full-Stack Developer
    App development
    Front End Developer
    Virtual Employee

  10. https://cracksray.com/quarkxpress-crack/

    QuarkXPress allows the user to deliver responsive web designs without the need for coding. Flex Layouts do not require any coding skills.

  11. https://zsactivatorskey.com/alfa-ebooks-manager-pro-crack/

    Alfa eBooks Manager Pro delivers customized features with better color schemes and themes. Also, it performs the scanning of the system automatically.

  12. https://cskeygen.com/wifi-password-hacker/

    WiFi Password Generator allows us to hack all networks with the latest technologies like WPA2. It is available as gadgets in different mobiles.

  13. https://cracksad.com/cobra-driver-pack-crack/

    Cobra Driver Pack does not require any special hardware requirements. After downloading the setup, you can install it easily without any issue.

  14. https://crackdad.com/final-cut-pro-x-crack/

    Final Cut Pro X provides you with all the basics features you need to create your movies along with a wide range of extra features that can make your movies even better.

  15. https://zayanpc.com/reimage-pc-repair-crack/

    Reimage PC Repair has a robust malware cancellation mechanism. It makes sure that the User can repair any entity which is threatening the optimal functioning of the system. It cleans and replaces any erroneous files for the speed of the system to enhance.

  16. Clickjacking is a technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages. This activity is negative, and we should avoid from such kind of activities. Dissertation writing services.

  17. 3DMark Crack
    3DMark Crack is a custom software of benchmarking for a Mac system. Produce through the Future Mark company. It also looks at the appearance of 3D graphics processing of a Pc.

  18. Unity Pro Crack
    Unity Pro Crack is the best game developing tool for android and other PC games. Therefore, this tool used for the developer to make 2D and 3D games.

  19. Tableau Desktop Crack
    Tableau Desktop Crack is a popular source for news and updates in the world. And you can use to create a report of your data there also, this is a much useful tool that use this app to manage all kind of statistic there.

  20. NordVPN Crack
    NordVPN Crack Is fulfills all online data-security software that has millions of downloads. While, for online stability functions, NordVPN may be the best option. Also, it includes improved rates and performance compared to the other players.

  21. TeraCopy Pro Crack
    TeraCopy Pro Crack is a compact software tool that specially designed to copy and moves files. Therefore, this tool uses to skip the dangerous files and also copy the skipped files. In addition, this tool uses to work the crack files and free form in our software library.

  22. VueScan Crack
    VueScan Crack is just one of the most wanted scanner tool that allows you to get a higher quality of the image with a lot of option. Therefore, this tool has a greater chance that use to enhance the option in the feature.

  23. I am very impressed with your post because this post is very beneficial for me and provide new knowledge to me

    Proxifier Crack

  24. Very great post which I really enjoy reading this and it is not everyday that I have the possibility to see something like this. Thank You.
    Best Online Data Science Courses

  25. Pleasant data. I've bookmarked your site, and I'm adding your RSS channels to my Google record to get refreshes right away.

    QuarkXPress Crack

  26. Lovely information. I've bookmarked your site, and I'm adding your RSS channels to my Google record to move invigorates immediately.

    QuarkXPress Crack


  27. I am very happy to read this article. Thanks for giving us Amazing info. Fantastic post.
    Thanks For Sharing such an informative article, Im taking your feed also, Thanks.unity pro crack

  28. her latest blog this content my review here official site click this link now these details

  29. 168galaxy เว็บไซต์รวม สล็อต ทุกค่าย ฝาก ถอน ไม่มีอย่างต่ำเป็นเว็บไซต์ที่ให้บริการเกมค่าย pg slot เว็บไซต์ตรง แล้วก็เป็นแหล่งรวมค่าย สล็อตใหญ่ที่สุดในประเทศ และมาแรงที่สุด

  30. โปรโมชั่น pg slot มากมาย เล่นง่ายจ่ายจริง แตกจริง ต้อง PG-สล็อต เท่านั้น! เล่นสล็อต พีจีสล็อต เว็บไซต์ตรงผู้ให้บริการเกมสล็อตออนไลน์ชั้นหนึ่ง ทกลอง เล่น ฟรี พร้อมโบนัส


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts