Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/26/2010
07:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Anti-Clickjacking Defenses 'Busted' In Top Websites

New research easily bypasses popular frame-busting technique

Turns out the most common defense against clickjacking and other Web framing attacks is easily broken: Researchers were able to bypass frame-busting methods used by all of the Alexa Top 500 websites.

The new research from Stanford University and Carnegie Mellon University's Silicon Valley campus found that frame-busting, a popular technique that basically stops a website from operating when it's loaded inside a "frame," does not prevent clickjacking. Clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user's Web session.

"There are so many different ways to do frame-busting, and that's a problem with it," says Collin Jackson, one of the lead researchers in the project and assistant research professor at CMU-Silicon Valley. "All it's doing is saying it detects an iFrame, refuses the function, and moves the user to a site where it will function again. Our big observation [in the research] is that it's not sufficient to just move a user into a functional [area]."

Jackson says he had suspected that frame-busting was weak since it was mainly an "ad-hoc" solution. "But we didn't know the magnitude of the problem," he says. "We had trouble finding any sites that were secure against all the attacks we identified."

Gustav Rydstedt, one of the Stanford researchers, says the toughest frame-busting method of all was Twitter's, which had some back-up checks in case its frame-busting defense were to fail.

In an ironic twist, the researchers used a security feature in Internet Explorer and Google Chrome browsers to demonstrate clickjacking attacks against the websites' frame-busting methods, including Twitter's. The cross-site scripting (XSS) filter in the browsers basically tricked the browser into seeing frame-busting as an XSS attack: "You tack it onto the URL ... and the browser says it looks like a URL appearing in a Web page and attempts to block it, so it blocks the frame-busting script from executing," Jackson says.

The frame-busting research on real website defenses further illuminates security industry concerns that today's clickjacking defenses are weak. "Much of the security industry has been of the mind that current clickjacking defenses are easily defeated, so that didn't come as much of a surprise. What I found great about this research was the authors' survey of the strategies sites are currently trying to use in the wild," says Jason Li, principal consultant with Aspect Security.

CMU's Jackson and fellow researchers Rydstedt, Elie Bursztein, and Dan Boneh -- all from Stanford -- say the best defense against clickjacking and related attacks is a JavaScript-based defense using frame-busting JavaScript code they wrote and included in their report, or the NoScript browser plug-in.

The best long-term solution, they say, is to adopt the new X-Frame-Options found in Microsoft's IE 8 and in the latest versions of most browsers. X-Frame-Options, a special HTTP header, was created by Microsoft to stop clickjacking attacks. "The website has to opt in to using the X Frame Options," Jackson says. "Unfortunately, a very small number of websites in our study were using it. But that's not surprising since it's so new."

Other Web application security experts agree that the X-Frames-Options header, once it's adopted by other browsers, will provide better security than frame-busting. "If you're running a site that doesn't need to be framed by external partners and you can force your users to a specific version of a browser, the X-Frame-Options header is probably the least intrusive, most effective solution. But that scenario probably applies to a very small set of sites, such as internal intranet apps where companies can control the version of browsers deployed on their desktops," Aspect Security's Li says.

Andre Gironda, an application security analyst for a large gaming company, says in the application assessments he conducts he typically recommends X-Frame-Options in the HTTP header for preventing clickjacking. Gironda says while there have been no major clickjacking attacks publicized to date, he considers it a potential bombshell. "It can do anything a user can do once it's used as an insertion point into an app," he says.

For sites that need to allow other sites to frame their pages, clickjacking lockdown is a bit trickier because it entails working with the partner sites, according to Aspect Security's Li. And Li says the Stanford and CMU researchers' recommendation for anti-clickjacking is on target, though there's no guarantee future browser implementations won't derail it. "There's no telling if a slight variation in the behavior of one's browser's future implementation could result in a means to circumvent their solution," he says.

Meanwhile, clickjacking isn't the Web developer's biggest worry today, either, CMU's Jackson notes. "Cross-site scripting is going to be the largest and most popular [vulnerability] for quite some time. It's incredibly hard to write [an app] without an XSS," he says. "I wouldn't say clickjacking is the end of the Web as we know it ... It's something every Web developer has to know about [and prevent]."

Jackson says the best bet would be for Web application frameworks to provide the default security for defending against things like clickjacking. "I'm pushing for Web app frameworks to take a lot of these security problems out of the hands of developers," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5347
PUBLISHED: 2020-04-04
Dell EMC Isilon OneFS versions 8.2.2 and earlier contain a denial of service vulnerability. SmartConnect had an error condition that may be triggered to loop, using CPU and potentially preventing other SmartConnect DNS responses.
CVE-2020-5348
PUBLISHED: 2020-04-04
Dell Latitude 7202 Rugged Tablet BIOS versions prior to A28 contain a UAF vulnerability in EFI_BOOT_SERVICES in system management mode. A local unauthenticated attacker may exploit this vulnerability by overwriting the EFI_BOOT_SERVICES structure to execute arbitrary code in system management mode.
CVE-2020-8142
PUBLISHED: 2020-04-03
A security restriction bypass vulnerability has been discovered in Revive Adserver version < 5.0.5 by HackerOne user hoangn144. Revive Adserver, like many other applications, requires the logged in user to type the current password in order to change the e-mail address or the password. It was how...
CVE-2020-8143
PUBLISHED: 2020-04-03
An Open Redirect vulnerability was discovered in Revive Adserver version < 5.0.5 and reported by HackerOne user hoangn144. A remote attacker could trick logged-in users to open a specifically crafted link and have them redirected to any destination.The CSRF protection of the “/...
CVE-2020-8147
PUBLISHED: 2020-04-03
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend.