The Clickjacking attack and X-Frame-Options
Clickjacking
Clickjacking is a type
of “web framing” or “UI redressing” attack. What that simply means in practice
is that:
1. A user (victim) is
shown an innocuous, but enticing web page (think watch online video)
2. Another web page (that generally does something important – think add
friends on social network) is layered on top of the first page and set to be
transparent
3. When the user thinks they are clicking on the web page they see (video),
they are actually clicking on the higher layered (framed) page that is
transparent
There
are two main ways to prevent clickjacking:
1.
Sending the proper X-Frame-Options
HTTP response headers that instruct the browser to not allow framing from other
domains
2.
Employing defensive code in the UI
to ensure that the current frame is the most top level window
Using
X-Frame-Options
X-Frame-Options originally invented by
Microsoft for IE8, but supported by a number of browsers, this idea might have
more uses than what it was intended for originally.
There are three
possible values for X-Frame-Options:
DENY
The page cannot be displayed in a frame, regardless of the site
attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as
the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the specified
origin.
In other words, if you
specify DENY, not only will attempts to load the page in a frame fail when
loaded from other sites, attempts to do so will fail when loaded from the same
site. On the other hand, if you specify SAMEORIGIN, you can still use the
page in a frame as long as the site including it in a frame is the same as the
one serving the page.
Configuring
IIS
To configure IIS to
send the X-Frame-Options header, add this your site's Web.config file:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
Employing
defensive code or Frame Busting
It is
possible to block the navigation caused by top.location
assignment, in the onbeforeunload
event.
The
handler of this event returns a string which becomes a question to the user,
asking him whether he wants to leave the page or not. The
outer window is located at the evil domain, so of course, the hacker may put
any question there, and the user will believe and him stay. It’s always like
that.
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
top.location
assignment, in the onbeforeunload
event.
<script>
| ||
if(top != window) {
|
top.location = window.location
| ||
}
|
</script>
|
<script>
|
window.onbeforeunload = function() {
|
window.onbeforeunload = null
|
return "Maybe you want to leave the page, before you become rich?!?"
|
}
|
</script>
|
<iframe src="http://javascript.info/files/tutorial/window/changetop.html"style="height:80px"></iframe>
|
The most reliable method is to suspend showing the document until the top == window
check
<head>
<style>
body { display : none;} </style>
</head>
<body>
<script>
if (self
== top) {
var theBody
= document.getElementsByTagName('body')[0]
theBody.style.display
= "block"
} else {
top.location
= self.location
}
</script>
</body>
In the example above, we use document.getElementsByTagName('body')
instead of document.body
, because this way of getting BODY
it works in all browsers when the
document is not ready.
Summary:
Clickjacking is easy to implement. As far as there is an action
on your site that can be done with a single click - it may be clickjacked. An attacker can ensure that the visitor is logged into your site
by social engineering. Or on some sites it is possible to send a message to a
user with the “Happy Link”. The user will browse his site mail and click on it,
then be clickjacked.. Many variants are possible. It is recommended that you use the X-Frame-Options
at pages which are not meant to run
into a frame. The older frame busting method is less effective, but useful for
older browsers, like IE7.
<head>
|
||
<style>
body { display : none;} </style>
|
||
</head>
|
||
<body>
|
| ||
<script>
|
if (self
== top) {
|
||
var theBody
= document.getElementsByTagName('body')[0]
|
theBody.style.display
= "block"
|
||
} else {
|
top.location
= self.location
|
||
}
|
</script>
|
||
</body>
|
document.getElementsByTagName('body')
instead of document.body
, because this way of getting BODY
it works in all browsers when the
document is not ready.X-Frame-Options
at pages which are not meant to run
into a frame. The older frame busting method is less effective, but useful for
older browsers, like IE7.
Comments
Post a Comment