Four researchers from Stanford and Carnegie Mellon outlined how frame busting, a protection meant to defeat clickjacking, can be circumvented on Twitter and other popular sites.
New research has found a common defense used by Websites to prevent clickjacking attacks can be broken.
Clickjacking uses malicious
to take control of a Web surfer's clicks and hijack their Web session.
The term clickjacking was first used in 2008 by WhiteHat Security CTO
Jeremiah Grossman and Robert "RSnake" Hansen, CEO of SecTheory. In
order to combat the attack, Websites instituted techniques known as
frame busting, which prevent a site from running when it is loaded
inside a frame.
According to researchers
(PDF) from Stanford University and Carnegie Mellon University,
frame-busting isn't as effective at preventing clickjacking as hoped.
An analysis of the Top 500 Websites ranked by Alexa found all of the
frame busting implementations could be circumvented. Some of the
circumventions were browser-specific, while others worked across all
browsers, the researchers found.
"We used known techniques and came up with some basic ones
ourselves," Stanford researcher and report co-author Gustav Rydstedt
told eWEEK. "When sites had non-generic, personalized, solutions we
crafted some specific site circumvention, such as the Facebook example
in the paper. It was more difficult finding all the frame busting due to obfuscation/packing
than it was to actually break them."
Twitter had the best system in place during the study, he said.
"They had a series of back-up checks to make sure their frame
busting attempt was successful," he added. "Unfortunately, Twitter did
not frame bust their mobile site and was (and still is) vulnerable to
the XSS filter attacks we outline in the paper. Facebook's dark layer
is an elegant variant that has suffered from some growing pains."
Collin Jackson, a researcher from Carnegie Mellon and another of the
report's four authors, said Facebook has a semitransparent layer
defense that provides some nice improvements on basic frame
busting, and the flaw they found has been fixed.
Though frame busting can be defeated, there are other ways to fight
clickjacking, such as X-FRAMES OPTIONS, an HTTP header sent on HTTP
"This header can have two different values: DENY and SAMEORIGIN.
When DENY is provided, IE 8 will not render the requested site within a
frame context," the authors wrote. "If the value SAMEORIGIN is used, IE
will block the page only if the origin of the top
level-browsing-context is different from the origin of the content
containing the directive."
This approach has its drawbacks. For example, the current
implementation does not allow the webmaster to provide a whitelist of
domains that are allowed to frame the page, the researchers noted.
Another solution the researchers propose is Mozilla's Content
Security Policy (CSP) initiative, which provides Web developers with a
way to specify how content interacts on their Websites.
"CSP has nice support for whitelisting, but it is still in beta at
this point," Rydstedt said. "The referrer can be used to do
whitelisting, but should be used with caution. Implementers need to
make sure their regular expressions are correct and realize that the
referrer header is not always there and react in a reasonable manner if
such is the case."
are doing the right thing by supporting X-FRAMES-OPTIONS and
introducing new ideas such a CSP," he continued. "Site owners should
well. Our paper has a proposed solution that can be used for
inspiration, but it's important to understand that this solution could
be broken tomorrow or today perhaps."