Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Nov 12, 2010

Defeating Clickjacking

The clickjacking vulnerability is receiving an increasing amount of attention. There has been some interesting advances in exploitation techniques, as explained in this video: Next generation clickjacking by Paul Stone at the Blackhat Europe 2010 security conference.

Let's first summarize the basic properties of a clickjacking attack:
  1. The attacker can load a page from your website in an iframe
  2. The attacker can have the user perform mouse operations on your webpage, i.e. clicking buttons, dragging and dropping content etc.
If we can prevent a webpage from being embedded in an iFrame, the clickjacking vulnerability will be mitigated. Framebusting is the traditional approach to prevent clickjacking attacks — a javascript embedded in a webpage to detect framing and try to "bust out" of the frame.  However, a recent study by researchers at Stanford summarizes common framebusting efforts and concludes that framebusting fails to mitigate the risk.


Framebusting is by design a reactive measure, ineffective until the browser is already loading the page in an iframe. This gives the attacker the upper hand! You'll have to put your framebusting script out there on the web, giving an attacker plenty of time to figure out a way to detronize your script. This battle of clever scripts between the good guys and bad guys can probably go on forever.  That's why we want to thwart this attack by design, not through implementation.

Let's just win the battle
We need to deal with clickjacking challenge before the page is loaded in an iFrame. This means that if there's nothing to click, or drag n' drop in the iFrame, we have removed the cause of the clickjacking attacks as we know them today.  The script battle ends.

Fortunately, since the latest release of Firefox, all the major browsers (IE8, Safari, Opera, Firefox, Chrome) support a countermeasure specifically targeting clickjacking attempts:  The X-Frame-Options HTTP header. This header instructs the browser whether a page can be included in a frame or not and takes the following form:

X-Frame-Options: sameorigin | deny

The sameorigin setting will allow framing of pages on the same domain — the deny setting will completely disable framing of a page. The nifty property of this countermeasure is that the browser itself will refuse to even load the page that's being framed — the battle of clever scripts is completely avoided.

So, check out the X-Frame-Options header and enable it for your site ASAP. Read more about it here.

Note: If you are dependent on other sites loading your pages in frames, X-Frame-Options will only cause problems for you.

Why the battle's not won tomorrow
Unfortunately, not all users are running an up to date browser — in fact, many users cannot upgrade their browser, as their employers are calling the shots on which versions to run in their corporate network. I experienced this when we made breaking changes for older web browsers in a web application at my employer. The users that experienced the most problems where the one's who where forced to use IE6 at work. Many of them reported that everything worked as expected from their computer at home. As a sidenote, the change was introduced only months before IE6 was EOL, so the issues should not have come as a complete surprise for the corporations running IE6.

We should urge both organizations and users to keep their browsers updated. Many modern attacks target the browser, and security on the web is now pretty much a function of both server side and client side security measures.

Preparing to win
The HTTP header approach is the preferred clickjacking countermeasure because it solves the root cause of the vulnerability. In addition, it is much easier to deploy to both new/old/legacy systems as it can easily be "wrapped" around existing web applications through web server configuration.

To enable the X-Frame-options header in IIS, go to the HTTP Headers section of your site config:




**UPDATE**: If you run an ASP.NET application on IIS7, you can also do this in web.config.

In Apache you can achieve the same thing by adding the following to your config file (httpd.conf or .htaccess, whichever you have access to, it requires the mod_headers module):

Header set X-Frame-Options "sameorigin"

Enable the header and make the world a safer place!

16 comments:

  1. X-Frame-Options not X-Frames-Options

    ReplyDelete
    Replies
    1. Ugh, that was a horrible but consistent typo. Thanks for pointing that out.

      Delete
  2. كما تقدم المؤسسة خدمة تطهير عفش منزلك خدمة تطهير بيوت بأفضل الأجهزة كخدمات إضافية مع خدمة نقل الأثاث ليتم نقل عفش منزلك بحالة نظافة تامة وبأجود وأفضل ما ترغب في، تتواصل معنا لتبدأ نقل أثاث أثاث منزلك وبأفضل اختيارات النقل المتوفرة وبأقل أسعار مؤسسات النقل، نحاول طول الوقت لتقديم أرقى الخدمات لعملائنا الكرام.
    شركه نقل عفش من الرياض الى ابها
    شركه نقل اثاث من الرياض الى ابها
    شركه نقل عفش

    ReplyDelete
  3. Sample Assignment bestows over the college going students with online assignment help. It is a consultancy possessing academic experts providing a number of subject-specific assignment helps. Marketing assignment help, economics assignment help, MATLAB assignment Help, MySQL assignment help, management assignment help, etc. are a few to name. The assignment help packages that they supply the students with ensure the students receive an HD or a full money back. With their assignment consultation services, the students can learn by exposing themselves to out-of-the-box learning when it comes to module related studies. For the quality of the in-depth research that is conducted before the experts at Sample Assignment lay their hands on a specific assignment, the prices are kept very close to the ground while the company has its head touching the sky. They offer services in Essays, CDRs, Resumes, Thesis, Research Proposals, Research Papers, Dissertations, etc. Be it any of the above, they provide ready to study from assignment solutions to the students who work-save in order to pay for the service and the online assignment services provider works on the motive of giving out value for every coin a particular student pays for the online assignment help Australia. With their Partial Payment and the optional feature of Countless Revisions, they have earned themselves two consecutive years of recognition.

     

     

     

    ReplyDelete
  4. "Insightful" is the perfect word to describe this wonderful writing of yours. The artistic blend of this subject with your tone of writing made this a great read. Much love 😘.
    How to bottom

    ReplyDelete
  5. When we are providing Cheap Term Paper Service, we care about the career of all our clients. With any Custom Research Papers Services that student requests from us, we have to use all the relevant resources that we have to write a quality paper and one that demonstrates an excellent understanding of the topic.

    ReplyDelete
  6. it seems really amazing. i would really like to know more about it.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts