Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Nov 22, 2010

Who framed Roger Badbit?

I recently blogged how to mitigate the clickjacking vulnerability with the X-Frames-Options HTTP header. Then XSS-track came to my attention, so I figured it would be a good idea to blog more in general about attacks employing frames. A general post mandates a general and catchy title (you have to agree that it is).

First, a few comments on the idea behind XSS-Track. In general, an XSS vulnerability lets you inject script into a particular webpage. If the user navigates away from this page, you've "lost" her. XSS-track injects script to load the attacked website in an iframe, which then becomes the user's view of the website. The user is left navigating the website in the iframe, which means that the XSS script survives in the parent page — a very elegant trick. By owning one vulnerable page, the clever attacker can gain access to all pages the user visits during a session on the targeted website.

Now to more general considerations on attacks that load your site in an iframe, and how the X-Frames-Options HTTP header can help.

Browser security
The same origin policy is a fundamental building block in client side web security — a browser will completely isolate content and scripts downloaded from one domain from content fetched from other domains. At least, this is the general idea. There are some subtle implementation differences across browsers, but by and large they act the same. If you're able to circumvent this protection you have an attack and should tell the world about it! Remember, tell the browser vendors first.

Frame based attacks
Here are the different categories of attacks using frames, ordered by how effectively they circumvent the same origin policy:
  1. The least severe attack is when someone frames your website and tracks the user's movements from a domain different than yours. This is a privacy issue, the attacker (usually) cannot perform any actions on behalf of the user, nor can she extract any personal information from the webpages themselves. This is not a circumvention of the same origin policy.
  2. Next we have the clickjacking attack, which is a client side attack to lure the user into generating one or more clicks on a webpage. This is a WYSINWYT (What You See Is Not What You Think) attack capitalizing on the user to work around the same origin policy.
  3. Finally, the XSS-track approach is not bound by the same origin policy as the script is served from the attacked page itself. This gives you full programmatic freedom. Consequently, attacks can be performed without user intervention on a webpage.
The cure
To reduce risk, you should set up your site to be secure by default. This essentially means to completely disable framing of your pages, mitigating all three categories of attacks:

X-Frames-Options: deny

If you have certain pages that need to be framed on your site, try to configure only these pages to run with:

X-Frames-Options: sameorigin

This is a security/functionality tradeoff. The sameorigin setting will mitigate the first two categories of attacks but not the third and most powerful category.

You'll find examples on how to enable the X-Frames-Options header globally for your website in my previous blog post.

So, don't be Roger Badbit. Enable X-Frames-Options for your site now — or you might end up as Roger Badbeat.*

* I had to follow up on the title. I'm sorry.

17 comments:

  1. You should examine this blog article for some info on how to write interesting MLA style essay. Be sure to do this as soon as possible

    ReplyDelete
  2. We've heard that the iPhone XI Max will have a 5.8-inch display, just like the iPhone XS, but with smaller bezels, and that it won't support 5G

    ReplyDelete
  3. Our Digital Marketing Services also come in convenient, ready-to-buy packages with clearly identified deliverable. Check out our SEO Services, PPC Services and SMO Services or Call us at: – +917065557774 , +917065557724 to discuss a customized plan to meet you precise Business Needs.

    ReplyDelete
  4. If you are finding any skill development course so you can join a Digital Marketing Course and improve your skill.

    ReplyDelete
  5. Aeiforia Architects is consulting people on design and architecture. So, if you need any kind of help in designing and architecture. Contact us. We will be giving you the best advice to help you in designing your building. corporate interior designers architects in delhi

    ReplyDelete
  6. Latest Exam Result have represented the web portal by which anyone can get the latest information about any government jobs as per their needs. Basically, we are working for your best future. here, you can search the latest information such as CTET admit card 2020, UPTET result 2020, Up Police, IBPS Exam 2020, govt jobs, SSC, Banking, IBPS Clerk and so on. our main responsibilities are providing you with the actual information about the central govt. jobs and state-based jobs. You also find 10th, 12th based job. If you want to know more then please visit our website.

    ReplyDelete
  7. The ultimate article. Thank you for writing a good article to read.
    Sa gaming สมัคร

    ReplyDelete
  8. Wow, Great information shared. I appreciate the persistence you put into your website and detailed information you provided.
    Offshore Software Development
    seo india
    india seo service company
    Hire Data Scientists

    ReplyDelete
  9. We find from our case studies that, Coach Outlet Store in spite of the Coach Outlet uncertainty involved, Ray Ban Outlet some 'principles' derived from parts of the literature on complexity theory may provide a helpful framework for the development of more robust preparedness strategies in the health and social care sector. Yeezy Discount By viewing health and social care as a 'system of systems', adaptation planning recognises the interrelationships of built, institutional and social infrastructures. The idea Ray Ban Glasses of local systems, with variable, path dependent New Jordan Shoes 2020 attributes, which are Yeezy Boost 350 partially closed, but permeable to other parts of the wider network, leads to an actionable model of Coach Handbags Clearance adaptation which emphasises the potential value of local self organisation, but also underlines the importance of co evolution across the wider system and the vital role of national initiatives and support for adaptation strategies.

    ReplyDelete
  10. This information is very useful for new bloggers and through this, they can improve their online business and earn a lot of money. This is a special content for inexperienced bloggers, and they can get positive result. Assignment writing services.

    ReplyDelete
  11. Genuvenue is the best Event Planner in Alberta ". We provide many types of event service like Wedding Event, Photoshoot Event, and Birthday Parties Event.

    ReplyDelete
  12. The GoodWood is one of the most famous Interior Designer in Noida ". The Goodwood offers a wide range of interior designing services for your Home, Office, and Shop.

    ReplyDelete
  13. pgslot เว็บ ตรง มาตราฐานระบบสากล เกมสล็อตออนไลน์แบบเรียลไทม์ PG SLOT เว็บหลัก ผู้เล่นสามารถเดิมพันสล็อตกับผู้เล่นคนอื่นได้พร้อมๆกัน และสามารถแข่งขันทำยอดเทิร์น

    ReplyDelete
  14. เล่น pgslot สำหรับมือใหม่ เป็นเว็บไซต์สล็อตออนไลน์ที่มีความน่าเชื่อถือและความปลอดภัยสูง ด้วยระบบการเงินที่ใช้งานอย่างมีประสิทธิภาพ PGSLOT ทำให้ผู้เล่นสามารถชำระเงินได้สะดวกและรวดเร็ว

    ReplyDelete
  15. ทดลอง เล่น สล็อตxo  เกมสล็อตออนไลน์ยอดฮิตชั้น 1 ของทวีปเอเชีย พร้อมระบบฝากถอนอัตโนมัติตลอด1วันพร้อมทั้งประสบการณ์การเล่นเกมสล็อตรูปแบบใหม่ที่ pg slot อยากมอบให้ทุกท่านเล่น

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts