Preventing clickjacking (UI Redressing)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Preventing clickjacking (UI Redressing)

Post by VladSun »

So, you think your site is secured ;) ?

Read this:
http://en.wikipedia.org/wiki/Clickjacking

Possible solutions here:
http://coderrr.wordpress.com/2009/02/13 ... edressing/

PS: I searched for "clickjacking" in this forum, but I couldn't find any posts regarding this problem. That's why I've decided to post it here and make some noise about it :)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Preventing clickjacking (UI Redressing)

Post by flying_circus »

I'm not sure this is something a web developer can realistically combat.

If I understand correctly, an example of this attack is your website loads my website in an iframe. Your website then places a transparent css layer over the iframe containing my website, which is used to jack the users clicks.

The problem is that my website has no way to detect or prevent it from being loaded in your iframe.

In my opinion, the onus is "on the user" if they try to access my website through a "proxy website" of sorts.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Preventing clickjacking (UI Redressing)

Post by VladSun »

You got it wrong - your web site is made transparent and put in an iframe over the attacker site (so it process user's clicks).
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Preventing clickjacking (UI Redressing)

Post by VladSun »

flying_circus wrote:The problem is that my website has no way to detect or prevent it from being loaded in your iframe.
Did you read the solution?
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Preventing clickjacking (UI Redressing)

Post by flying_circus »

VladSun wrote:You got it wrong - your web site is made transparent and put in an iframe over the attacker site (so it process user's clicks).
Aha. I see where this is going.

The possible solution that I read about used a combination of javascript and css, coupled with a noscript element. Briefly skimming over the comments on the page you linked too, as well as in the wiki article, contained workarounds for busting frame busters/killers.

Edit: I just read the bit at http://keepitlocked.net/archive/2008/11 ... sting.aspx. This is the method I am using to test for javascript support on my sites.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Preventing clickjacking (UI Redressing)

Post by VladSun »

flying_circus wrote:Edit: I just read the bit at http://keepitlocked.net/archive/2008/11 ... sting.aspx. This is the method I am using to test for javascript support on my sites.
it's the same as in in the article I pointed to.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Preventing clickjacking (UI Redressing)

Post by flying_circus »

Yes, I found the link through your article. I still need to add the frame busting part to my code, but it should be an easy fix, since I already the javascript detection implemented that way.

After I posted last, I headed to "the office". ( :madblow: ) It took me a bit to grasp the concept, but the light eventually came on. I just needed to really think about it a bit longer. Thanks for bringing up the topic!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Preventing clickjacking (UI Redressing)

Post by kaisellgren »

Those frame busters can be bypassed. The best solution currently is to send X-Frame-Options header which is supported by IE 8, Chrome, Safari 4 and Firefox (when NoScript is used).
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Preventing clickjacking (UI Redressing)

Post by flying_circus »

I was looking for more info on clickjacking, and came across Cross Site History Manipulation (XSHM).

Info:
http://www.checkmarx.com/CxDownloadRequest.aspx?id=8

The suggested fix is to append a random token to the end of a url and disregard it in your application.
(ex: htt://example.org/index.php?xshm=xxx)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Preventing clickjacking (UI Redressing)

Post by kaisellgren »

flying_circus wrote:I was looking for more info on clickjacking, and came across Cross Site History Manipulation (XSHM).

Info:
http://www.checkmarx.com/CxDownloadRequest.aspx?id=8

The suggested fix is to append a random token to the end of a url and disregard it in your application.
(ex: htt://example.org/index.php?xshm=xxx)
Off topic, but there's more info on that on http://security-sh3ll.blogspot.com/2010 ... -xshm.html
Post Reply