Clickjack

From WOT Wiki
Jump to: navigation, search

Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous Web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.

The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008. The exploit is also known as UI redressing.

Clickjacking can be understood as an instance of the confused deputy problem. Contents

Description

Clickjacking is possible because seemingly harmless features of HTML Web pages can be employed to perform unexpected actions.

A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.

Examples

    The user receives an email with a link to a video about a news item, but another valid page, say a product page on amazon.com, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon.
    Other known exploits have been:
          tricking users to enable their webcam and microphone through Flash (which has since been corrected by Adobe);
          tricking users to make their social networking profile information public;
          making users follow someone on Twitter;
          share links on Facebook

Prevention

Client-side

NoScript

Protection against clickjacking can be added to Mozilla Firefox versions by installing the NoScript add-on: its ClearClick

feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all the types of clickjacking (i.e. frame-based and plugin-based).

The NoScript add-on for Firefox remains the only free product providing automatic client-side protection, with no need for awareness and cooperation from the Web site authors.

GuardedID

GuardedID (a commercial product) provides client-side clickjack protection for users of IE or Firefox without interfering with the operation of legitimate iFrames.

Gazelle

Gazelle is a Microsoft Research project secure web browser based on IE, that uses an OS-like security model, and has its own unique defenses against clickjacking. In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.

Server-side

Framekiller

Web site owners can protect their users against UI redressing (frame based clickjacking) on the server side by including a framekiller JavaScript snippet in those pages they do not want to be included inside frames from different sources.

Such JavaScript-based protection, unfortunately, is not always reliable. This is especially true on Internet Explorer[11], where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an <IFRAME SECURITY=restricted> element.

Server and client

X-Frame-Options

On 26 January 2009 Microsoft released RC1 of Internet Explorer 8, which includes a new partial clickjacking prevention option. Web site developers will be able to add a tag in a page header to help detect and prevent frame-based UI redressing. IE 8, according to Microsoft, “will detect sites that insert the tag and give users a new error screen indicating that the content host has chosen not to allow their content to be framed, while giving users the option to open the content in a new window.” According to NoScript's developer, Giorgio Maone, this feature can be regarded as a work-around for framekiller's brokenness on IE and, "if a Web site owner is skilled and careful enough to implement" this countermeasure, "he will surely deploy the simple and understood JavaScript frame busting one-liner too, and every browser is equally protected".

Microsoft's suggested solution, which has since also been implemented in Apple's Safari, Firefox, and Google's Chrome Web browsers, is to check for a new HTTP header, X-Frame-Options. This header can have two values, deny and sameorigin, which will block any framing or framing by external sites, respectively.

Both framekillers and IE8's mitigation approach, however, require Web developers to protect vulnerable pages by modifying their content or the way they are served, although, even on "protected" pages, they cannot prevent plugin-based clickjacking variants[citation needed] since they don't need frames.

Firefox includes X-Frame-Options clickjacking protection since version 3.6.9, released on 7 September 2010.