Clickjacking Attacks

It is widely accepted that the framebusting mechanism embed in browsers helps websites in preventing clickjacking attacks. Michal Zalewski, Web security researcher and Google security engineer, released proof-of-concept code In order to demonstrate the contrary.

User interface redressing or clickjacking is a type of attack. Its purpose is to make users to perform unauthorized actions. Meanwhile, the content displayed in users’ browsers is misrepresented.

Clickjacking uses legitimate Web programming techniques to achieve a malicious purpose. This is the most serious obstacle when block or detect clickjacking attack. CSS code is mostly used with implementations. This makes content loaded in an iframe invisible. CSS code is superimposed on a legitimate-looking element.

This technique was used in Facebook attacks. The Like button was made invisible and users were tricked into liking spam pages pressing another button that was placed on top and performed something else.

Such attacks could be successfully prevented via usage of JavaScript code. This helped to block websites from being loaded in iframes. This protection type is known as framebusting.

X-Frame-Options is a special HTTP header that was implemented over time by browser vendors. Being used by websites it can “inform” browsers not to load these or those pages into external iframes. Nevertheless, the security researcher is sure in inefficiency of this protection. He has developed a proof-of-concept to prove it.

Zalewski confirms that there exist other solutions at struggle with clickjacking attacks. They are more complicated and not so popular with browser vendors therefore.

Among popular solutions is the security extension for Firefox called NoScript. It detects and block clickjacking attacks good. Nevertheless, its false-positive rate is high. It is not a great challenge because the add-on was designed for power users mostly.

So, it is obvious that vendors are not likely to implement something like this into a browser. 

GetAV.org