Anti-Clickjacking Defenses 'Busted' In Top Websites

New research easily bypasses popular frame-busting technique
Turns out the most common defense against clickjacking and other Web framing attacks is easily broken: Researchers were able to bypass frame-busting methods used by all of the Alexa Top 500 websites.

The new research from Stanford University and Carnegie Mellon University's Silicon Valley campus found that frame-busting, a popular technique that basically stops a website from operating when it's loaded inside a "frame," does not prevent clickjacking. Clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user's Web session.

"There are so many different ways to do frame-busting, and that's a problem with it," says Collin Jackson, one of the lead researchers in the project and assistant research professor at CMU-Silicon Valley. "All it's doing is saying it detects an iFrame, refuses the function, and moves the user to a site where it will function again. Our big observation [in the research] is that it's not sufficient to just move a user into a functional [area]."

Jackson says he had suspected that frame-busting was weak since it was mainly an "ad-hoc" solution. "But we didn't know the magnitude of the problem," he says. "We had trouble finding any sites that were secure against all the attacks we identified."

Gustav Rydstedt, one of the Stanford researchers, says the toughest frame-busting method of all was Twitter's, which had some back-up checks in case its frame-busting defense were to fail.

In an ironic twist, the researchers used a security feature in Internet Explorer and Google Chrome browsers to demonstrate clickjacking attacks against the websites' frame-busting methods, including Twitter's. The cross-site scripting (XSS) filter in the browsers basically tricked the browser into seeing frame-busting as an XSS attack: "You tack it onto the URL ... and the browser says it looks like a URL appearing in a Web page and attempts to block it, so it blocks the frame-busting script from executing," Jackson says.

The frame-busting research on real website defenses further illuminates security industry concerns that today's clickjacking defenses are weak. "Much of the security industry has been of the mind that current clickjacking defenses are easily defeated, so that didn't come as much of a surprise. What I found great about this research was the authors' survey of the strategies sites are currently trying to use in the wild," says Jason Li, principal consultant with Aspect Security.

CMU's Jackson and fellow researchers Rydstedt, Elie Bursztein, and Dan Boneh -- all from Stanford -- say the best defense against clickjacking and related attacks is a JavaScript-based defense using frame-busting JavaScript code they wrote and included in their report, or the NoScript browser plug-in.

The best long-term solution, they say, is to adopt the new X-Frame-Options found in Microsoft's IE 8 and in the latest versions of most browsers. X-Frame-Options, a special HTTP header, was created by Microsoft to stop clickjacking attacks. "The website has to opt in to using the X Frame Options," Jackson says. "Unfortunately, a very small number of websites in our study were using it. But that's not surprising since it's so new."

Other Web application security experts agree that the X-Frames-Options header, once it's adopted by other browsers, will provide better security than frame-busting. "If you're running a site that doesn't need to be framed by external partners and you can force your users to a specific version of a browser, the X-Frame-Options header is probably the least intrusive, most effective solution. But that scenario probably applies to a very small set of sites, such as internal intranet apps where companies can control the version of browsers deployed on their desktops," Aspect Security's Li says.

Andre Gironda, an application security analyst for a large gaming company, says in the application assessments he conducts he typically recommends X-Frame-Options in the HTTP header for preventing clickjacking. Gironda says while there have been no major clickjacking attacks publicized to date, he considers it a potential bombshell. "It can do anything a user can do once it's used as an insertion point into an app," he says.

For sites that need to allow other sites to frame their pages, clickjacking lockdown is a bit trickier because it entails working with the partner sites, according to Aspect Security's Li. And Li says the Stanford and CMU researchers' recommendation for anti-clickjacking is on target, though there's no guarantee future browser implementations won't derail it. "There's no telling if a slight variation in the behavior of one's browser's future implementation could result in a means to circumvent their solution," he says.

Meanwhile, clickjacking isn't the Web developer's biggest worry today, either, CMU's Jackson notes. "Cross-site scripting is going to be the largest and most popular [vulnerability] for quite some time. It's incredibly hard to write [an app] without an XSS," he says. "I wouldn't say clickjacking is the end of the Web as we know it ... It's something every Web developer has to know about [and prevent]."

Jackson says the best bet would be for Web application frameworks to provide the default security for defending against things like clickjacking. "I'm pushing for Web app frameworks to take a lot of these security problems out of the hands of developers," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: