Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Nov 12, 2010

Defeating Clickjacking

The clickjacking vulnerability is receiving an increasing amount of attention. There has been some interesting advances in exploitation techniques, as explained in this video: Next generation clickjacking by Paul Stone at the Blackhat Europe 2010 security conference.

Let's first summarize the basic properties of a clickjacking attack:
  1. The attacker can load a page from your website in an iframe
  2. The attacker can have the user perform mouse operations on your webpage, i.e. clicking buttons, dragging and dropping content etc.
If we can prevent a webpage from being embedded in an iFrame, the clickjacking vulnerability will be mitigated. Framebusting is the traditional approach to prevent clickjacking attacks — a javascript embedded in a webpage to detect framing and try to "bust out" of the frame.  However, a recent study by researchers at Stanford summarizes common framebusting efforts and concludes that framebusting fails to mitigate the risk.

Framebusting is by design a reactive measure, ineffective until the browser is already loading the page in an iframe. This gives the attacker the upper hand! You'll have to put your framebusting script out there on the web, giving an attacker plenty of time to figure out a way to detronize your script. This battle of clever scripts between the good guys and bad guys can probably go on forever.  That's why we want to thwart this attack by design, not through implementation.

Let's just win the battle
We need to deal with clickjacking challenge before the page is loaded in an iFrame. This means that if there's nothing to click, or drag n' drop in the iFrame, we have removed the cause of the clickjacking attacks as we know them today.  The script battle ends.

Fortunately, since the latest release of Firefox, all the major browsers (IE8, Safari, Opera, Firefox, Chrome) support a countermeasure specifically targeting clickjacking attempts:  The X-Frame-Options HTTP header. This header instructs the browser whether a page can be included in a frame or not and takes the following form:

X-Frame-Options: sameorigin | deny

The sameorigin setting will allow framing of pages on the same domain — the deny setting will completely disable framing of a page. The nifty property of this countermeasure is that the browser itself will refuse to even load the page that's being framed — the battle of clever scripts is completely avoided.

So, check out the X-Frame-Options header and enable it for your site ASAP. Read more about it here.

Note: If you are dependent on other sites loading your pages in frames, X-Frame-Options will only cause problems for you.

Why the battle's not won tomorrow
Unfortunately, not all users are running an up to date browser — in fact, many users cannot upgrade their browser, as their employers are calling the shots on which versions to run in their corporate network. I experienced this when we made breaking changes for older web browsers in a web application at my employer. The users that experienced the most problems where the one's who where forced to use IE6 at work. Many of them reported that everything worked as expected from their computer at home. As a sidenote, the change was introduced only months before IE6 was EOL, so the issues should not have come as a complete surprise for the corporations running IE6.

We should urge both organizations and users to keep their browsers updated. Many modern attacks target the browser, and security on the web is now pretty much a function of both server side and client side security measures.

Preparing to win
The HTTP header approach is the preferred clickjacking countermeasure because it solves the root cause of the vulnerability. In addition, it is much easier to deploy to both new/old/legacy systems as it can easily be "wrapped" around existing web applications through web server configuration.

To enable the X-Frame-options header in IIS, go to the HTTP Headers section of your site config:

**UPDATE**: If you run an ASP.NET application on IIS7, you can also do this in web.config.

In Apache you can achieve the same thing by adding the following to your config file (httpd.conf or .htaccess, whichever you have access to, it requires the mod_headers module):

Header set X-Frame-Options "sameorigin"

Enable the header and make the world a safer place!


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts