Researchers Beat Clickjacking Defenses of Top Websites | eWeek

Researchers Beat Clickjacking Defenses of Top Websites

Written By
Brian Prince
Brian Prince
May 28, 2010
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

New research has found a common defense used by Websites to prevent clickjacking attacks can be broken.

Clickjacking uses malicious iframes to take control of a Web surfer’s clicks and hijack their Web session. The term clickjacking was first used in 2008 by WhiteHat Security CTO Jeremiah Grossman and Robert “RSnake” Hansen, CEO of SecTheory. In order to combat the attack, Websites instituted techniques known as frame busting, which prevent a site from running when it is loaded inside a frame.

According to researchers (PDF) from Stanford University and Carnegie Mellon University, frame-busting isn’t as effective at preventing clickjacking as hoped. An analysis of the Top 500 Websites ranked by Alexa found all of the frame busting implementations could be circumvented. Some of the circumventions were browser-specific, while others worked across all browsers, the researchers found.

“We used known techniques and came up with some basic ones ourselves,” Stanford researcher and report co-author Gustav Rydstedt told eWEEK. “When sites had non-generic, personalized, solutions we crafted some specific site circumvention, such as the Facebook example in the paper. It was more difficult finding all the frame busting due to obfuscation/packing than it was to actually break them.”

Twitter had the best system in place during the study, he said.

“They had a series of back-up checks to make sure their frame busting attempt was successful,” he added. “Unfortunately, Twitter did not frame bust their mobile site and was (and still is) vulnerable to the XSS filter attacks we outline in the paper. Facebook’s dark layer is an elegant variant that has suffered from some growing pains.”

Collin Jackson, a researcher from Carnegie Mellon and another of the report’s four authors, said Facebook has a semitransparent layer defense that provides some nice improvements on basic frame busting, and the flaw they found has been fixed.

Though frame busting can be defeated, there are other ways to fight clickjacking, such as X-FRAMES OPTIONS, an HTTP header sent on HTTP responses.

“This header can have two different values: DENY and SAMEORIGIN. When DENY is provided, IE 8 will not render the requested site within a frame context,” the authors wrote. “If the value SAMEORIGIN is used, IE will block the page only if the origin of the top level-browsing-context is different from the origin of the content containing the directive.”

This approach has its drawbacks. For example, the current implementation does not allow the webmaster to provide a whitelist of domains that are allowed to frame the page, the researchers noted.

Another solution the researchers propose is Mozilla’s Content Security Policy (CSP) initiative, which provides Web developers with a way to specify how content interacts on their Websites.

“CSP has nice support for whitelisting, but it is still in beta at this point,” Rydstedt said. “The referrer can be used to do whitelisting, but should be used with caution. Implementers need to make sure their regular expressions are correct and realize that the referrer header is not always there and react in a reasonable manner if such is the case.”

Browser vendors are doing the right thing by supporting X-FRAMES-OPTIONS and introducing new ideas such a CSP,” he continued. “Site owners should use these defenses and, for now, use JavaScript techniques as well. Our paper has a proposed solution that can be used for inspiration, but it’s important to understand that this solution could be broken tomorrow or today perhaps.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.