Sunday, May 13, 2012

2. Clickjacking protection

"Work to prevent crime not to need punishment" - Confucius


In this second post, I'm going to talk about different measures that have been used to avoid clickjacking's techniques or click kidnapping, whose definition in spanish I link from Wikipedia or, even more developed, in english.

I must admit that I fought against these measures when I was trying to bypass one restriction that, furthermore, it wasn't a click kidnapping strictly, instead I was trying to load a popular page (whose name I don't want to remember) in a frame. My intention was to interact with this page from an own frame using Javascript.

However, I found several counter-measures trying to avoid the above behavior to preclude the technic of click kidnapping. This is because this capacity can be forced to get control of the users click.

I was trying to develop the concept of clickjacking when I found a very good explanation that I recommend you read on a blog that I did not known, as it is clearly explained: (in spanish)

So let's look at the defenses that have been used to prevent this attack.

One possible solution is to use complements for browser (extensions or plugins) which protect against this attack. The first option is the popular NoScript for Firefox, which allows define a white list of domains you trust to run Javascript. However, this option does not apply to everyone, by the added complexity and, above all, because it shifts the responsibility to end users, who need not know anything about Clickjacking, Javascript or flux capacitors.

Then, I understand that it isn't the user's responsibility, controls must be moved to server-side.

The most popular option has always been the insertion of own Javascript code in the web code, to hinder as much as possible this attack; it has been used non-standard measures ad-hoc developed with the best programmers make plus the obfuscation of this code. These protections are target by a constant attempt to circumvent it, so in the most popular pages we have seen real racing of measures, counter-measures, counter-counter-measures, etc.

In the following link we can see how it is develop a Javascript code to prevent a web page being included within a "frame-buster" and also shows how it is possible to bypass that protection "frame-buster-buster": StackOverflow Frame buster buster.

Well, here I stood, trying to get my counter-counter-prottection_against_frames, fighting with Javascript, when I realized that there was a new measure of protection that exceeded this approach of cat and mouse.

And this measure is a simple idea that Microsoft implemented in IE8, a meta tag that is inserted into the header of HTML code that don't want to be included in a framework, named X-FRAME-OPTION. Thus, when the browser sees this tag, means that page don't want to be included in one frame and it don't load it. This measure soon became a de facto standard, implemented in most browsers.

So the only way to bypass this protection is to modify the user's browser, thus preventing a massive attack.

So, with this, my idea was definitely frustrated because my intention was to add functionality to this website, not to deceive the user into installing an add-on that modifies their browser's function, for this purpose is more ethical and easy to make a plugin to get directly the desired functionality.

Well, this is not a post to teach a technique of attack or audit, quite the contrary, how to protect a web as a result of not being able to get an "extra functionality".


PS: This post has needed more than 3 months to get out, when my intention was at least monthly. I promise to put me the batteries and the next will be out long before, I have several ideas that I'm working.

NOTE: This is a non-automatic translation of the original blog written in spanish. I hope you are comprehending and tell me if you find errors. Thanks a lot!

No comments:

Post a Comment

Please leave your comment related to the topic, I only ask you to say it respectfully :)