Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/26/2010
07:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Anti-Clickjacking Defenses 'Busted' In Top Websites

New research easily bypasses popular frame-busting technique

Turns out the most common defense against clickjacking and other Web framing attacks is easily broken: Researchers were able to bypass frame-busting methods used by all of the Alexa Top 500 websites.

The new research from Stanford University and Carnegie Mellon University's Silicon Valley campus found that frame-busting, a popular technique that basically stops a website from operating when it's loaded inside a "frame," does not prevent clickjacking. Clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user's Web session.

"There are so many different ways to do frame-busting, and that's a problem with it," says Collin Jackson, one of the lead researchers in the project and assistant research professor at CMU-Silicon Valley. "All it's doing is saying it detects an iFrame, refuses the function, and moves the user to a site where it will function again. Our big observation [in the research] is that it's not sufficient to just move a user into a functional [area]."

Jackson says he had suspected that frame-busting was weak since it was mainly an "ad-hoc" solution. "But we didn't know the magnitude of the problem," he says. "We had trouble finding any sites that were secure against all the attacks we identified."

Gustav Rydstedt, one of the Stanford researchers, says the toughest frame-busting method of all was Twitter's, which had some back-up checks in case its frame-busting defense were to fail.

In an ironic twist, the researchers used a security feature in Internet Explorer and Google Chrome browsers to demonstrate clickjacking attacks against the websites' frame-busting methods, including Twitter's. The cross-site scripting (XSS) filter in the browsers basically tricked the browser into seeing frame-busting as an XSS attack: "You tack it onto the URL ... and the browser says it looks like a URL appearing in a Web page and attempts to block it, so it blocks the frame-busting script from executing," Jackson says.

The frame-busting research on real website defenses further illuminates security industry concerns that today's clickjacking defenses are weak. "Much of the security industry has been of the mind that current clickjacking defenses are easily defeated, so that didn't come as much of a surprise. What I found great about this research was the authors' survey of the strategies sites are currently trying to use in the wild," says Jason Li, principal consultant with Aspect Security.

CMU's Jackson and fellow researchers Rydstedt, Elie Bursztein, and Dan Boneh -- all from Stanford -- say the best defense against clickjacking and related attacks is a JavaScript-based defense using frame-busting JavaScript code they wrote and included in their report, or the NoScript browser plug-in.

The best long-term solution, they say, is to adopt the new X-Frame-Options found in Microsoft's IE 8 and in the latest versions of most browsers. X-Frame-Options, a special HTTP header, was created by Microsoft to stop clickjacking attacks. "The website has to opt in to using the X Frame Options," Jackson says. "Unfortunately, a very small number of websites in our study were using it. But that's not surprising since it's so new."

Other Web application security experts agree that the X-Frames-Options header, once it's adopted by other browsers, will provide better security than frame-busting. "If you're running a site that doesn't need to be framed by external partners and you can force your users to a specific version of a browser, the X-Frame-Options header is probably the least intrusive, most effective solution. But that scenario probably applies to a very small set of sites, such as internal intranet apps where companies can control the version of browsers deployed on their desktops," Aspect Security's Li says.

Andre Gironda, an application security analyst for a large gaming company, says in the application assessments he conducts he typically recommends X-Frame-Options in the HTTP header for preventing clickjacking. Gironda says while there have been no major clickjacking attacks publicized to date, he considers it a potential bombshell. "It can do anything a user can do once it's used as an insertion point into an app," he says.

For sites that need to allow other sites to frame their pages, clickjacking lockdown is a bit trickier because it entails working with the partner sites, according to Aspect Security's Li. And Li says the Stanford and CMU researchers' recommendation for anti-clickjacking is on target, though there's no guarantee future browser implementations won't derail it. "There's no telling if a slight variation in the behavior of one's browser's future implementation could result in a means to circumvent their solution," he says.

Meanwhile, clickjacking isn't the Web developer's biggest worry today, either, CMU's Jackson notes. "Cross-site scripting is going to be the largest and most popular [vulnerability] for quite some time. It's incredibly hard to write [an app] without an XSS," he says. "I wouldn't say clickjacking is the end of the Web as we know it ... It's something every Web developer has to know about [and prevent]."

Jackson says the best bet would be for Web application frameworks to provide the default security for defending against things like clickjacking. "I'm pushing for Web app frameworks to take a lot of these security problems out of the hands of developers," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVE-2019-17547
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
CVE-2019-17501
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
CVE-2019-17539
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.