Click jacking

Hello Friends.

Today when I was thinking about what to write today; I received an email from one of my friend "Ravi" he wants to know about few terms related to Web development and I thought to make those terms as my blog post. Thanks to Ravi he has given me topic for three days. I need not to think what to write today. Well one of those terms is Click jacking. Here I will start  with explaining what is Click jacking; how can the hacker may take advantage of Click jacking and what measures we can take to prevent Click jacking.

Definition and Background:

Sometimes also  known as UI Redressing or Cross Site Scripting. As in this technique the UI is redesigned to carry some script code along the original code without any information to the user and can change the behavior how the button or link or the html element to which the undesired (by the programmer but desirable by the hacker who is trying to steal information)script should work.

A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. Most often on a clickjacked page, the attackers show a set of dummy buttons, followed by the loading of another page over it as a transparent layer. The users believe that they are clicking the visible buttons on the clickjacked page, however  they are not rather they are actually performing actions on the hidden page which is loaded on the transparent layer.  The attackers with the help of this  hidden page (it can be authentic page also and if so then it)  can trick users into performing actions which the users never intended. There is no way of tracing such actions later, as the user was genuinely authenticated on the other page.

For Instance:

v  A Person receives an email with a link to a video about a news item, but another valid page, May be a product page on any ecommerce  site, can be "hidden" on top or underneath the "PLAY" button of the news video. The person when tries to "play" the video he is not actually playing the video rather s/he is "buys" the product from that ecommerce website.

v  Other known exploits have been:

o   Tricking users to enable their webcam and microphone through Flash (which has since been corrected by Adobe);

o   Tricking users to make their social networking profile information public;

o   Making users follow someone on Twitter or other known social networks

o   Share links on Facebook (this is quiet common these days)

Prevention

Measures can be taking to save your site form these attackers and prevent clickjacking of the pages. We can divide the measures in following categories.

1.       Client Side Measures,

2.       Server Side Measures

3.       Server Side Measures needing client support

Client-side Measures

These measures can be taken by the user at their end

NoScript

Protection against clickjacking can be added to Mozilla Firefox desktop and mobile versions by installing the NoScript add-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets. According to Google's "Browser Security Handbook", NoScript's ClearClick is "the only freely available product that offers a reasonable degree of protection" against Clickjacking.

Gazelle

Gazelle is a Microsoft Research project secure web browser based on IE, that uses an Operating System-like security model,  has its own limited defenses against clickjacking. In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.

Server-side

Framekiller

Web site owners (Developers) can protect their users against UI redressing (frame based clickjacking) on the server side by including a framekiller JavaScript snippet in those pages they do not want to be included inside frames from different sources.

But these JavaScript-based protection, unfortunately, are not always reliable. This is especially true in case of Internet Explorer, where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an <IFRAME SECURITY=restricted> element. So we need the update

Some websites are under the impression this very old frame busting code can prevent click jacking attacks:

1              try {

2                if (top.location.hostname != self.location.hostname) throw 1;

3              } catch (e) {

4                top.location.href = self.location.href;

5              }

But NO this is not enough as we have to take care of other browsers also Here's a very simple way around this which works in both FF and IE7: (update, a way to work around this prevention here)

1              var prevent_bust = 0

2              window.onbeforeunload = function() { prevent_bust++ }

3              setInterval(function() {

4                if (prevent_bust > 0) {

5                  prevent_bust -= 2

6                  window.top.location = 'http://server-which-responds-with-204.com'

7                }

8              }, 1)

The server only needs to respond with:

                HTTP/1.1 204 No Content

On most browsers a 204 (No Content) HTTP response will do nothing, i.e. you will be left on the current page. But the request attempt will override the previous frame busting attempt, rendering it useless. If the server responds quickly this will be almost invisible to the user.

Update: If the frame busting code is at the beginning of the page, before any content loads, then even though the frame busting will be prevented, so will the loading of the remainder of the page. This means that your content would be hidden and un-clickjackable (only in FF, see below for IE).

So what can we do to protect our  website from clickjacking?  Well, I'm not a security expert but this seems to cover almost all the cases:

First, we can have  page load with all hidden content using a CSS. Like:

1              <body style="display:none" ...>

Followed by some variant of the frame busting code, but instead of busting, use it to determine whether or not to display your content:

1              try {

2                if (top.location.hostname != self.location.hostname)

3                  throw 1;

4             

5                document.body.style.display = 'block';

6              } catch (e) {

7                // possible clickjack attack, leave content hidden

8              }

This covers most of the cases. It covers IE's SECURITY=RESTRICTED which allows you to turn off scripting for an iframe. If your site is loaded like this, your script will not run and your content will remain hidden (as mentioned above). And it covers a standard clickjack attack by not displaying your content if it detects that it has been framed. What it doesn't cover is a user who comes to your site with javascript disabled (who will see nothing). We  of course can  present them with a message saying javascript is required (using <noscript>). Irritates, but it seems at this point that is the price we have to pay for clickjacking protection.

Note: NoScript can protect you from clicking on invisible elements.

Server-side needing client support

X-Frame-Options

On 26 January 2009 Microsoft released RC1 of Internet Explorer 8, which includes a new partial clickjacking prevention option. Web site developers will be able to add a tag in a page header to help detect and prevent frame-based UI redressing. IE 8, according to Microsoft, "will detect sites that insert the tag and give users a new error screen indicating that the content host has chosen not to allow their content to be framed, while giving users the option to open the content in a new window."

Microsoft's suggested solution, which has since also been implemented in Apple's Safari, Firefox, and Google's Chrome Web browsers, is to check for a new HTTP header, X-Frame-Options. This header can have two values, deny and same origin, which will block any framing or framing by external sites, respectively.

If you have or know of a better solution please let me know.

Regards,

Miss Meetu Choudhary