Thursday, May 27, 2010

Anti-Clickjacking Defenses 'Busted' In Top Websites

Via -

Turns out the most common defense against clickjacking and other Web framing attacks is easily broken: researchers were able to bypass frame-busting methods used by all of the Alexa Top 500 websites.

The new research from Stanford University and Carnegie Mellon University's Silicon Valley campus found that frame busting, a popular technique that basically stops a website from operating when it's loaded inside a "frame," does not prevent clickjacking. Clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user's Web session.

"There are so many different ways to do frame-busting, and that's a problem with it," says Collin Jackson, one of the lead researchers in the project and assistant research professor at CMU-Silicon Valley. "All it's doing is saying it detects an iframe, refuses the function, and moves the user to a site where it will function again. Our big observation [in the research] is that it's not sufficient to just move a user into a functional [area]."

Jackson says he had suspected that frame-busting was weak since it was mainly an "ad-hoc" solution. "But we didn't know the magnitude of the problem," he says. "We had trouble finding any sites that were secure against all the attacks we identified."


CMU's Jackson and fellow researchers Rydstedt, Elie Bursztein, Dan Boneh -- all from Stanford -- say the best defense today against clickjacking and related attacks is a JavaScript-based defense using frame-busting JavaScript code they wrote and included in their
report, or the NoScript browser plug-in.

The best long-term solution, they say, is to adopt the new X-Frame-Options found in Microsoft's IE 8 and in the latest versions of most browsers. X-Frame-Options, a special HTTP header, was created by Microsoft to stop clickjacking attacks. "The website has to opt in to using the X Frame Options," Jackson says. "Unfortunately, a very small number of websites in our study were using it. But that's not surprising since it's so new."


IE8 Security Part VII: ClickJacking Defenses

No comments:

Post a Comment