New research has found a common defense used by Websites to prevent clickjacking attacks can be broken.
Clickjacking uses malicious iframes to take control of a Web surfer’s clicks and hijack their Web session. The term clickjacking was first used in 2008 by WhiteHat Security CTO Jeremiah Grossman and Robert “RSnake” Hansen, CEO of SecTheory. In order to combat the attack, Websites instituted techniques known as frame busting, which prevent a site from running when it is loaded inside a frame.
According to researchers (PDF) from Stanford University and Carnegie Mellon University, frame-busting isn’t as effective at preventing clickjacking as hoped. An analysis of the Top 500 Websites ranked by Alexa found all of the frame busting implementations could be circumvented. Some of the circumventions were browser-specific, while others worked across all browsers, the researchers found.
“We used known techniques and came up with some basic ones ourselves,” Stanford researcher and report co-author Gustav Rydstedt told eWEEK. “When sites had non-generic, personalized, solutions we crafted some specific site circumvention, such as the Facebook example in the paper. It was more difficult finding all the frame busting due to obfuscation/packing than it was to actually break them.”
Twitter had the best system in place during the study, he said.
“They had a series of back-up checks to make sure their frame busting attempt was successful,” he added. “Unfortunately, Twitter did not frame bust their mobile site and was (and still is) vulnerable to the XSS filter attacks we outline in the paper. Facebook’s dark layer is an elegant variant that has suffered from some growing pains.”
Collin Jackson, a researcher from Carnegie Mellon and another of the report’s four authors, said Facebook has a semitransparent layer defense that provides some nice improvements on basic frame busting, and the flaw they found has been fixed.
Though frame busting can be defeated, there are other ways to fight clickjacking, such as X-FRAMES OPTIONS, an HTTP header sent on HTTP responses.
“This header can have two different values: DENY and SAMEORIGIN. When DENY is provided, IE 8 will not render the requested site within a frame context,” the authors wrote. “If the value SAMEORIGIN is used, IE will block the page only if the origin of the top level-browsing-context is different from the origin of the content containing the directive.”
This approach has its drawbacks. For example, the current implementation does not allow the webmaster to provide a whitelist of domains that are allowed to frame the page, the researchers noted.
Another solution the researchers propose is Mozilla’s Content Security Policy (CSP) initiative, which provides Web developers with a way to specify how content interacts on their Websites.
“CSP has nice support for whitelisting, but it is still in beta at this point,” Rydstedt said. “The referrer can be used to do whitelisting, but should be used with caution. Implementers need to make sure their regular expressions are correct and realize that the referrer header is not always there and react in a reasonable manner if such is the case.”
“Browser vendors are doing the right thing by supporting X-FRAMES-OPTIONS and introducing new ideas such a CSP,” he continued. “Site owners should use these defenses and, for now, use JavaScript techniques as well. Our paper has a proposed solution that can be used for inspiration, but it’s important to understand that this solution could be broken tomorrow or today perhaps.”