Presentations‎ > ‎

Clickjacking Protection Under Non-trivial Circumstances




Since being introduced by Robert Hansen and Jeremiah Grossman in 2008 [1], the Web attacks which are summarized under the term "Clickjacking" have received considerable attention. In consequence, server-driven countermeasures, namely framebusting [2] and the X-frames option header [3] have been developed and deployed. However, these currently available countermeasures fall short in non-trivial situations. All currently utilized techniques have in common, that they rely on the prevention of framing. This is problematic, as there a numerous situations, in which sites have to enable other sites to frame their content (e.g., mash-up components or Web widgets). Furthermore, Hunag & Jackson [4] have demonstrated that similar attacks can also be conducted using pop-under windows. Also, Zalewski did the same using an attack vector based on page-navigation [5].

In this talk, we will present a novel clickjacking countermeasure, that

  • can be used by sites that have to allow to be framed
  • and protects against pop-under and navigation-based clickjacking attacks.
In addition, we will present:
  • a currently unfixed shortcoming in the implementation of the X-Frames header, which leaves sites relying on this protection measure vulnerable under certain circumstances
  • an empirical study on the top 5.000 Alexa sites, in respect to their susceptibility to the identified weakness.

[1] Robert Hansen, Jeremiah Grossman, “Clickjacking,” Dec. 2008. [Online].
[2] G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson, “Busting frame busting: a study of clickjacking vulnerabilities at popular sites,” in in IEEE Oakland Web 2.0 Security and  Privacy (W2SP 2010), 2010.
[3] Mozilla Corporation, “The X-Frame-Options response header”, 2010. [Online].
[4] Lin-Shung Huang and Collin Jackson, "Clickjacking Attacks Unresolved", 2011, [Online].
[5] Michael Zalewski, "X-Frame-Options is worth less than you think", 2011, [Online].