Page 1 of 1
Preventing clickjacking (UI Redressing)
Posted: Wed Feb 03, 2010 7:08 am
by VladSun
So, you think your site is secured

?
Read this:
http://en.wikipedia.org/wiki/Clickjacking
Possible solutions here:
http://coderrr.wordpress.com/2009/02/13 ... edressing/
PS: I searched for "clickjacking" in this forum, but I couldn't find any posts regarding this problem. That's why I've decided to post it here and make some noise about it

Re: Preventing clickjacking (UI Redressing)
Posted: Wed Feb 03, 2010 1:11 pm
by flying_circus
I'm not sure this is something a web developer can realistically combat.
If I understand correctly, an example of this attack is your website loads my website in an iframe. Your website then places a transparent css layer over the iframe containing my website, which is used to jack the users clicks.
The problem is that my website has no way to detect or prevent it from being loaded in your iframe.
In my opinion, the onus is "on the user" if they try to access my website through a "proxy website" of sorts.
Re: Preventing clickjacking (UI Redressing)
Posted: Wed Feb 03, 2010 1:43 pm
by VladSun
You got it wrong - your web site is made transparent and put in an iframe over the attacker site (so it process user's clicks).
Re: Preventing clickjacking (UI Redressing)
Posted: Wed Feb 03, 2010 1:46 pm
by VladSun
flying_circus wrote:The problem is that my website has no way to detect or prevent it from being loaded in your iframe.
Did you read the solution?
Re: Preventing clickjacking (UI Redressing)
Posted: Wed Feb 03, 2010 3:07 pm
by flying_circus
VladSun wrote:You got it wrong - your web site is made transparent and put in an iframe over the attacker site (so it process user's clicks).
Aha. I see where this is going.
The possible solution that I read about used a combination of javascript and css, coupled with a noscript element. Briefly skimming over the comments on the page you linked too, as well as in the wiki article, contained workarounds for busting frame busters/killers.
Edit: I just read the bit at
http://keepitlocked.net/archive/2008/11 ... sting.aspx. This is the method I am using to test for javascript support on my sites.
Re: Preventing clickjacking (UI Redressing)
Posted: Wed Feb 03, 2010 5:54 pm
by VladSun
it's the same as in in the article I pointed to.
Re: Preventing clickjacking (UI Redressing)
Posted: Wed Feb 03, 2010 6:45 pm
by flying_circus
Yes, I found the link through your article. I still need to add the frame busting part to my code, but it should be an easy fix, since I already the javascript detection implemented that way.
After I posted last, I headed to "the office". (

) It took me a bit to grasp the concept, but the light eventually came on. I just needed to really think about it a bit longer. Thanks for bringing up the topic!
Re: Preventing clickjacking (UI Redressing)
Posted: Sat Feb 06, 2010 5:40 am
by kaisellgren
Those frame busters can be bypassed. The best solution currently is to send X-Frame-Options header which is supported by IE 8, Chrome, Safari 4 and Firefox (when NoScript is used).
Re: Preventing clickjacking (UI Redressing)
Posted: Sat Feb 06, 2010 1:06 pm
by flying_circus
I was looking for more info on clickjacking, and came across Cross Site History Manipulation (XSHM).
Info:
http://www.checkmarx.com/CxDownloadRequest.aspx?id=8
The suggested fix is to append a random token to the end of a url and disregard it in your application.
(ex: htt://example.org/index.php?xshm=xxx)
Re: Preventing clickjacking (UI Redressing)
Posted: Sun Feb 07, 2010 6:20 am
by kaisellgren
flying_circus wrote:I was looking for more info on clickjacking, and came across Cross Site History Manipulation (XSHM).
Info:
http://www.checkmarx.com/CxDownloadRequest.aspx?id=8
The suggested fix is to append a random token to the end of a url and disregard it in your application.
(ex: htt://example.org/index.php?xshm=xxx)
Off topic, but there's more info on that on
http://security-sh3ll.blogspot.com/2010 ... -xshm.html