Vulnerabilities / Threats

5/26/2010
07:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Anti-Clickjacking Defenses 'Busted' In Top Websites

New research easily bypasses popular frame-busting technique

Turns out the most common defense against clickjacking and other Web framing attacks is easily broken: Researchers were able to bypass frame-busting methods used by all of the Alexa Top 500 websites.

The new research from Stanford University and Carnegie Mellon University's Silicon Valley campus found that frame-busting, a popular technique that basically stops a website from operating when it's loaded inside a "frame," does not prevent clickjacking. Clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user's Web session.

"There are so many different ways to do frame-busting, and that's a problem with it," says Collin Jackson, one of the lead researchers in the project and assistant research professor at CMU-Silicon Valley. "All it's doing is saying it detects an iFrame, refuses the function, and moves the user to a site where it will function again. Our big observation [in the research] is that it's not sufficient to just move a user into a functional [area]."

Jackson says he had suspected that frame-busting was weak since it was mainly an "ad-hoc" solution. "But we didn't know the magnitude of the problem," he says. "We had trouble finding any sites that were secure against all the attacks we identified."

Gustav Rydstedt, one of the Stanford researchers, says the toughest frame-busting method of all was Twitter's, which had some back-up checks in case its frame-busting defense were to fail.

In an ironic twist, the researchers used a security feature in Internet Explorer and Google Chrome browsers to demonstrate clickjacking attacks against the websites' frame-busting methods, including Twitter's. The cross-site scripting (XSS) filter in the browsers basically tricked the browser into seeing frame-busting as an XSS attack: "You tack it onto the URL ... and the browser says it looks like a URL appearing in a Web page and attempts to block it, so it blocks the frame-busting script from executing," Jackson says.

The frame-busting research on real website defenses further illuminates security industry concerns that today's clickjacking defenses are weak. "Much of the security industry has been of the mind that current clickjacking defenses are easily defeated, so that didn't come as much of a surprise. What I found great about this research was the authors' survey of the strategies sites are currently trying to use in the wild," says Jason Li, principal consultant with Aspect Security.

CMU's Jackson and fellow researchers Rydstedt, Elie Bursztein, and Dan Boneh -- all from Stanford -- say the best defense against clickjacking and related attacks is a JavaScript-based defense using frame-busting JavaScript code they wrote and included in their report, or the NoScript browser plug-in.

The best long-term solution, they say, is to adopt the new X-Frame-Options found in Microsoft's IE 8 and in the latest versions of most browsers. X-Frame-Options, a special HTTP header, was created by Microsoft to stop clickjacking attacks. "The website has to opt in to using the X Frame Options," Jackson says. "Unfortunately, a very small number of websites in our study were using it. But that's not surprising since it's so new."

Other Web application security experts agree that the X-Frames-Options header, once it's adopted by other browsers, will provide better security than frame-busting. "If you're running a site that doesn't need to be framed by external partners and you can force your users to a specific version of a browser, the X-Frame-Options header is probably the least intrusive, most effective solution. But that scenario probably applies to a very small set of sites, such as internal intranet apps where companies can control the version of browsers deployed on their desktops," Aspect Security's Li says.

Andre Gironda, an application security analyst for a large gaming company, says in the application assessments he conducts he typically recommends X-Frame-Options in the HTTP header for preventing clickjacking. Gironda says while there have been no major clickjacking attacks publicized to date, he considers it a potential bombshell. "It can do anything a user can do once it's used as an insertion point into an app," he says.

For sites that need to allow other sites to frame their pages, clickjacking lockdown is a bit trickier because it entails working with the partner sites, according to Aspect Security's Li. And Li says the Stanford and CMU researchers' recommendation for anti-clickjacking is on target, though there's no guarantee future browser implementations won't derail it. "There's no telling if a slight variation in the behavior of one's browser's future implementation could result in a means to circumvent their solution," he says.

Meanwhile, clickjacking isn't the Web developer's biggest worry today, either, CMU's Jackson notes. "Cross-site scripting is going to be the largest and most popular [vulnerability] for quite some time. It's incredibly hard to write [an app] without an XSS," he says. "I wouldn't say clickjacking is the end of the Web as we know it ... It's something every Web developer has to know about [and prevent]."

Jackson says the best bet would be for Web application frameworks to provide the default security for defending against things like clickjacking. "I'm pushing for Web app frameworks to take a lot of these security problems out of the hands of developers," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6487
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.