Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/26/2010
07:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Anti-Clickjacking Defenses 'Busted' In Top Websites

New research easily bypasses popular frame-busting technique

Turns out the most common defense against clickjacking and other Web framing attacks is easily broken: Researchers were able to bypass frame-busting methods used by all of the Alexa Top 500 websites.

The new research from Stanford University and Carnegie Mellon University's Silicon Valley campus found that frame-busting, a popular technique that basically stops a website from operating when it's loaded inside a "frame," does not prevent clickjacking. Clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user's Web session.

"There are so many different ways to do frame-busting, and that's a problem with it," says Collin Jackson, one of the lead researchers in the project and assistant research professor at CMU-Silicon Valley. "All it's doing is saying it detects an iFrame, refuses the function, and moves the user to a site where it will function again. Our big observation [in the research] is that it's not sufficient to just move a user into a functional [area]."

Jackson says he had suspected that frame-busting was weak since it was mainly an "ad-hoc" solution. "But we didn't know the magnitude of the problem," he says. "We had trouble finding any sites that were secure against all the attacks we identified."

Gustav Rydstedt, one of the Stanford researchers, says the toughest frame-busting method of all was Twitter's, which had some back-up checks in case its frame-busting defense were to fail.

In an ironic twist, the researchers used a security feature in Internet Explorer and Google Chrome browsers to demonstrate clickjacking attacks against the websites' frame-busting methods, including Twitter's. The cross-site scripting (XSS) filter in the browsers basically tricked the browser into seeing frame-busting as an XSS attack: "You tack it onto the URL ... and the browser says it looks like a URL appearing in a Web page and attempts to block it, so it blocks the frame-busting script from executing," Jackson says.

The frame-busting research on real website defenses further illuminates security industry concerns that today's clickjacking defenses are weak. "Much of the security industry has been of the mind that current clickjacking defenses are easily defeated, so that didn't come as much of a surprise. What I found great about this research was the authors' survey of the strategies sites are currently trying to use in the wild," says Jason Li, principal consultant with Aspect Security.

CMU's Jackson and fellow researchers Rydstedt, Elie Bursztein, and Dan Boneh -- all from Stanford -- say the best defense against clickjacking and related attacks is a JavaScript-based defense using frame-busting JavaScript code they wrote and included in their report, or the NoScript browser plug-in.

The best long-term solution, they say, is to adopt the new X-Frame-Options found in Microsoft's IE 8 and in the latest versions of most browsers. X-Frame-Options, a special HTTP header, was created by Microsoft to stop clickjacking attacks. "The website has to opt in to using the X Frame Options," Jackson says. "Unfortunately, a very small number of websites in our study were using it. But that's not surprising since it's so new."

Other Web application security experts agree that the X-Frames-Options header, once it's adopted by other browsers, will provide better security than frame-busting. "If you're running a site that doesn't need to be framed by external partners and you can force your users to a specific version of a browser, the X-Frame-Options header is probably the least intrusive, most effective solution. But that scenario probably applies to a very small set of sites, such as internal intranet apps where companies can control the version of browsers deployed on their desktops," Aspect Security's Li says.

Andre Gironda, an application security analyst for a large gaming company, says in the application assessments he conducts he typically recommends X-Frame-Options in the HTTP header for preventing clickjacking. Gironda says while there have been no major clickjacking attacks publicized to date, he considers it a potential bombshell. "It can do anything a user can do once it's used as an insertion point into an app," he says.

For sites that need to allow other sites to frame their pages, clickjacking lockdown is a bit trickier because it entails working with the partner sites, according to Aspect Security's Li. And Li says the Stanford and CMU researchers' recommendation for anti-clickjacking is on target, though there's no guarantee future browser implementations won't derail it. "There's no telling if a slight variation in the behavior of one's browser's future implementation could result in a means to circumvent their solution," he says.

Meanwhile, clickjacking isn't the Web developer's biggest worry today, either, CMU's Jackson notes. "Cross-site scripting is going to be the largest and most popular [vulnerability] for quite some time. It's incredibly hard to write [an app] without an XSS," he says. "I wouldn't say clickjacking is the end of the Web as we know it ... It's something every Web developer has to know about [and prevent]."

Jackson says the best bet would be for Web application frameworks to provide the default security for defending against things like clickjacking. "I'm pushing for Web app frameworks to take a lot of these security problems out of the hands of developers," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/7/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1627
PUBLISHED: 2020-04-08
A vulnerability in Juniper Networks Junos OS on vMX and MX150 devices may allow an attacker to cause a Denial of Service (DoS) by sending specific packets requiring special processing in microcode that the flow cache can't handle, causing the riot forwarding daemon to crash. By continuously sending ...
CVE-2020-1628
PUBLISHED: 2020-04-08
Juniper Networks Junos OS uses the 128.0.0.0/2 subnet for internal communications between the RE and PFEs. It was discovered that packets utilizing these IP addresses may egress an EX4300 switch, leaking configuration information such as heartbeats, kernel versions, etc. out to the Internet, leading...
CVE-2020-1629
PUBLISHED: 2020-04-08
A race condition vulnerability on Juniper Network Junos OS devices may cause the routing protocol daemon (RPD) process to crash and restart while processing a BGP NOTIFICATION message. This issue affects Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; ...
CVE-2020-1630
PUBLISHED: 2020-04-08
A privilege escalation vulnerability in Juniper Networks Junos OS devices configured with dual Routing Engines (RE), Virtual Chassis (VC) or high-availability cluster may allow a local authenticated low-privileged user with access to the shell to perform unauthorized configuration modification. This...
CVE-2020-1634
PUBLISHED: 2020-04-08
On High-End SRX Series devices, in specific configurations and when specific networking events or operator actions occur, an SPC receiving genuine multicast traffic may core. Subsequently, all FPCs in a chassis may reset causing a Denial of Service. This issue affects both IPv4 and IPv6. This issue ...