Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: 12Next
Current Page: 1 of 2
Clickjacking Prevention
Posted by: p0deje
Date: November 16, 2009 11:10PM

Hello, slackers.

Imagine we have some CMS, vulnerable to Clickjacking. SecTeam doesn't want to patch it, because they suppose this vulnerability as browsers'. Yep, I agree, that prevention from Clickjacking shouldn't be applied to CMS at all by default, because some sites need to be framed in certain ways. That's why I've decided to develop a module, that would optionally add such protection. I've started googling and that's the ways of prevention I've found:

1. Frame-killers. E.g. from OWASP
<script>if (top!=self) top.location.href=self.location.href</script>
2. Usage of X-FRAME-OPTIONS Header

Will these two ways be enough to prevent website from clickjacking? Isn't there any way to bypass frame-killer of OWASP? Maybe there are more secure and cross-browser variants?

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: ma1
Date: November 17, 2009 07:33AM

> 1. Frame-killers. E.g. from OWASP
> if (top!=self)
> top.location.href=self.location.href

This one can be easily circumvented. Better

if (top != self) location = "about:blank";

> 2. Usage of X-FRAME-OPTIONS Header

You MUST use both, because Javascript framebusters are even more fragile in browsers which implement X-Frame-Options (it's not a coincidence).

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: sirdarckcat
Date: November 17, 2009 09:03AM

I prefer:
<html>
<script>
if(top=self)document.write("<!"+"--");
</script>
<style>body{display:none;}</style>
<noscript><body style=display:block>
optional:
<div style="background-color:red;position:fixed;top:0px;left:0px;height:100%;width:100%">YOU NEED JS TO SEE THIS PAGE</div>
</noscript>
<!--code by dross-->
<body>
this content is unframable.
</body>
</html>

so, if the attacker disables the script selectively (with the xss filter for example) then, the whole page is hidden.
if the attacker disables all the scripting content in the page (with security="restricted") then an optional big red warning appears.
if the attacker frames the page directly, then a white page appears.

anyway.. hahaha

Greetings!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: rvdh
Date: November 18, 2009 12:33AM

We need to promote that header some more.

Header always append X-Frame-Options SAMEORIGIN

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: November 20, 2009 07:30AM

I've found one more framebusting code:
if(self.parent.frames.length!=0) self.parent.location = "about:blank"
what do you say?

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: Nytro
Date: November 20, 2009 08:22AM

So you want to prevent your page to be <iframe>d to another webpage no?
Very simple, using PHP. Just check if the referrer is your website. :)
Sorry if I didn't get the idea...

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: November 20, 2009 10:04AM

Nytro Wrote:
-------------------------------------------------------
> So you want to prevent your page to be d to
> another webpage no?
> Very simple, using PHP. Just check if the referrer
> is your website. :)
> Sorry if I didn't get the idea...

You know that Referrer is not hard to fake
But, additionally, such checking should be added - thanks, how could I forgot! :)

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: Nytro
Date: November 20, 2009 12:39PM

Hmmm. Practicaly, I don't think you can do anything to be 100% sure that your page is not iframed...

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: November 21, 2009 09:57AM

But I can reduce the risks of such attack by 90%.

So, finally, there are three points:
1. Use framebuster + <noscript>
2. Use X-FRAME-OPTIONS
3. Check referrer

Is there anything else?

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: sirdarckcat
Date: November 22, 2009 09:18AM

1.- referrer is useless.
2.- framebusters can be busted.. so dont do the top.location="" stuff.. is better to do the if(top===self)document.write(); stuff..
3.- X-FRAME-OPTIONS is supported by noscript+safari+chrome+ie8.. its the best way to go.
4.- dont bother checking the referrer.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: brol
Date: November 24, 2009 06:10AM

> framebusters can be busted

What about:

<style>body{display:none}</style>
<script type=text/javascript>
if(top==self)
document.write('<style>body{display:block}</style>')
</script>
<noscript><style>body{display:block}</style></noscript>

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: sirdarckcat
Date: November 24, 2009 10:07AM

frame busters are were you use..
top.location="stuff"

if you only do comparisons it should be safe.. I think safari is the only one that had a bug that allowed you to rename top..

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: November 24, 2009 11:44AM

@sirdarkcat

why do not use this
if (top != self) location = "about:blank"
how can it be busted?

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: sirdarckcat
Date: November 25, 2009 01:49AM

it can be disabled on IE and WebKit using the XSS Filter.

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: January 11, 2010 12:06PM

okay, but let's imagine that website we use should be allowed to do be iframed
1. X-Frame-Options will be useless
2. (top === self) document.write() will be useless

i guess such style will be enough to prevent from clickjacking
iframe {
    filter: alpha(opacity=100) !important;
    opacity: 1 !important;
}

but will this be enough to prevent from UI redressing? because UI redressing doesn't require transparent iframe in some cases, attacker can just use properly resized iframe

so, is there any ways to prevent UI redressing for site that should be allowed to be iframed?

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: Gareth Heyes
Date: January 11, 2010 01:05PM

It ain't just iframe:-

<object data=//google.com type=text/html></object>

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: January 11, 2010 03:15PM

So, I need to add <iframe>, <frame>, <object>, <embed> to CSS
Anything else?

---------
http://p0deje.blogspot.com



Edited 2 time(s). Last edit at 01/11/2010 03:25PM by p0deje.

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: rvdh
Date: January 12, 2010 06:36AM

This is fun too, iframe hijaxing on focus bubbling. Last loaded = first focused ;-)

<iframe name="F1" src="http://google.com" style="position:absolute; top:58;  left:90; z-index:3" scrolling="no">
</iframe>
<iframe name="F2" src="http://google.com" style="position:absolute; top:60; left:90; z-index:2" scrolling="no">
</iframe>

To see what happens shift the frame a few fix to top;

<iframe name="F1" src="http://google.com" style="position:absolute; top:45; left:90; z-index:3" scrolling="no">
</iframe>
<iframe name="F2" src="http://google.com" style="position:absolute; top:60; left:90; z-index:2" scrolling="no">
</iframe>



Edited 2 time(s). Last edit at 01/12/2010 06:42AM by rvdh.

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: January 12, 2010 07:14AM

So, even if our "protected" website will make iFrames non-transparent, attacker can still override it with another colored frame and text like "Simply hit Enter button!"
cool :)

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: rvdh
Date: January 12, 2010 07:28AM

Yeah, or simply ask the user to use that so "user-friendly" TAB key, which activates a link, button or something else with htmlFor, in the frame below.

Making it opaque doesn't solve it, there's probably more ways to circumvent it.



Edited 1 time(s). Last edit at 01/12/2010 07:30AM by rvdh.

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: January 12, 2010 07:58AM

so such CSS
iframe, frame, object, embed {
    filter: alpha (opacity=100) !important;
    opacity: 1 !important;
    z-index: 999999 !important;
}
will be okay in most cases if our site allows user to post <iframe> tags
but CSS won't work if we are iframed by other site

isn't there any way to allow site be iframed and prevent most clickjacking vectors?

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: ma1
Date: January 12, 2010 08:23AM

> isn't there any way to allow site be iframed and
> prevent most clickjacking vectors?

if you mean "iframed by a 3rd, possibly hostile party" answer is no, you're doomed.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: Gareth Heyes
Date: January 12, 2010 08:46AM

@p0deje

You could do a user defined browser stylesheet but your rules could be bypassed by using more specfic selectors

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: January 12, 2010 09:34AM

@Gareth Heyes

User-Defined CSS is the one that I place within my browser, isn't it?
Then it's not the thing I'm looking for, because I wanna protection within website, regardless end user machine

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: Gareth Heyes
Date: January 12, 2010 09:40AM

But as ma1 said the frame isn't coming from your website

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: rvdh
Date: January 12, 2010 10:42AM

@p0deje

remember that it is all rendered in the user's client, and unless your code isn't secure and renders user-supplied markup that will be executed on the client, you cannot protect them from it server-side.

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: January 12, 2010 02:21PM

Okay, here is the current behavior of module

1. Support of X-Frame-Options. Admin can set it up to SameOrigin or Deny. Or disable it. Default is SameOrigin. This is the most comfortable way and could be the best if Opera, Firefox (by default) and IE7 support it.

2. JS+CSS trick, shown me by sirdarckcat
<script>
if (top === self) {
  document.write("<!--");
}
</script>
<style>
body {
  display: none; 
}
</style>
<!-- stop document writing -->
It's disabled by default, cause it's gonna break any other (a lot of) modules which use iframes.

3. More robust clickjane.css
iframe, frame, object, embed {
    filter: alpha (opacity=100) !important; /* for IE */
    opacity: 1 !important; /* for non-IE browsers */
    z-index: 999 !important; /* in most cases prevents "last loaded - first focused" behavior */
}
Disabled by default and should only be enabled if website allows users to post content with specified tags. This (surely non-100% guarantee) will protect from clickjacking within website.

I'm actually not quite sure about the last, maybe it's useless?
Anyway, 1st variant is the best way, 2nd is a hard way. I hope it's supposed to be secure code, enough for defense from clickjacking. Am I wrong?

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: March 01, 2010 09:29AM

http://p0deje.blogspot.com/2010/03/safeclick-testing-review.html

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: p0deje
Date: March 05, 2010 06:45AM

thanks to everybody, module was released
http://drupal.org/project/safeclick

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Clickjacking Prevention
Posted by: sirdarckcat
Date: March 05, 2010 11:28PM

note that you can also disable the stylesheet via the xss filter, but if you add the HTTP header it should be fine

have u tested the comment tricks on all browsers? I was afraid that some browsers may want to close it, so I opted for using <xmp> instead..

Greetings!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Pages: 12Next
Current Page: 1 of 2


Sorry, only registered users may post in this forum.