Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Dealing with UI redress vulnerabilities inherent to the current web (via) The best explanation of clickjacking I’ve seen yet, complete with discussion of a number of non-ideal potential solutions. It looks like frame busting JavaScript will defeat it, but only for users who have JavaScript enabled—which means that in this case extensions like NoScript actually make you less safe. UPDATE: NoScript is smarter than I thought; see the comments.

Posted 7th October 2008 at 9:59 am

Tagged , , ,

6 comments

  1. Hmm, I think NoScript will actually protect you without the need for the target site to have added any frame busting Javascript.

    Plugins -> Forbid IFRAME. See http://hackademix.net/2008/09/27/clickjacking-and- noscript/

    CiaranG - 7th October 2008 10:18 - #

  2. Noscript will help if the attacking site uses Javascript to create and position its IFrames. But Michal Zalewski is suggesting that you can clickjack passively, using CSS to disguise most of the target IFrame (by positioning elements over/around it), then tricking the victim into clicking on the desired uncovered element of the IFrame.

    That's a different subclass of attack to what Hansen and Grossman originally described ("Consider that an attack can invisibly hover these buttons below the user's mouse"), but it seems plausible, and equally dangerous.

    phl - 7th October 2008 10:37 - #

  3. Actually, that scenario is described in the link Ciaran posted - the NoScript installer page uses this technique to frame the "Install Now" buttons from addons.mozilla.org.

    phl - 7th October 2008 10:48 - #

  4. Last week, Mark Pilgrim has posted a post about clickjacking in his HTML5 weekly series. Blog post summarizes the discussion in HTML5 group and browser vendor's feedback on the proposal.

    http://blog.whatwg.org/this-week-in-html-5-episode -7

    Saravanan - 7th October 2008 12:34 - #

  5. Actually NoScript's IFRAME blocking is independent from JavaScript, therefore NoScript configured to block cross-site frames (Forbid IFRAME) gives full protection against ClickJacking in all Zalewski's scenarios. That said, latest NoScript versions (1.8.2 and above) feature a new specific anti-clickjacking technology called ClearClick, working independently from iframe and plugin blocking. ClearClick prevents any UI interaction with embedded objects while they're partially obstructed or transparent, addressing all kinds of clickjacking, scriptless or not, iframe or plugin based. It's enabled by default on untrusted host pages (no matter if the embedded object is whitelisted or not), but can be easily configured to work on trusted host pages as well and so far did not cause any usability issue, therefore next stable release will likely ship ClearClick in trusted+untrusted default configuration.

    Giorgio Maone - 7th October 2008 20:03 - #

  6. Almost forgot, 1.8.2 provides also a Frame Break Emulation feature, which honors frame busting on JavaScript-disabled pages where a frame busting statement is found in one of its top 5 script elements, hence the argument "NoScript makes you less safe" (which was already dubious because of the protections listed above) is now completely unjustified.

    Giorgio Maone - 7th October 2008 20:18 - #

Sign in with OpenID

Auto-HTML: Line breaks are preserved; URLs will be converted in to links.

Manual XHTML: Enter your own, valid XHTML. Allowed tags are a, p, blockquote, ul, ol, li, dl, dt, dd, em, strong, dfn, code, q, samp, kbd, var, cite, abbr, acronym, sub, sup, br, pre

A django site