Web Application Security

Clickjacking Prevention in Java

What is it and why should I care? Clickjacking prevention is a type of “Web framing” or “UI redressing” attack. In practice, that means: 1. Users (victims) are shown an innocuous, but enticing Web page (watching an online video is a good example) 2. Another Web page, which usually does something important (think “adding friends onto your social network”), is layered on top of the first page and set to be transparent 3. When users click on the Web page they see (the online video), they are actually clicking on the higher layered (framed) page that is transparent This attack is clever, and there are some interesting specifics in its actual execution (for more detailed information, see the references at the end of this post). However, here I’m concerned only with preventing the attack. What should I do about it? There is still no perfect answer on clickjacking prevention, but things are getting better − especially as users upgrade to more modern browsers. Currently, prevention is based on a two-fold recommendation: 1. Use the X-Frame-Options HTTP header 2. Include framebusting code The HTTP header is the more robust solution, although it requires a relatively modern browser. Fortunately, more users are slowly moving towards using modern browsers, so the situation is improving just because of that fact. As for the framebusting recommendation, even though it is breakable, it should still be done. It certainly raises the bar against a successful attack. And while there are many options for framebusting code, I recommend a paper that the folks at Stanford put together on framebusting: http://seclab.stanford.edu/websec/framebusting/. In the paper, they have evaluated the current code in the wild, and then showed ways to break it. They have also proposed their own solution in the paper. Rather than including the code here, you can find it at the top of page 11 of the Stanford group’s PDF. The basic idea of their solution is to both: 1) use the style sheet to disable display for the entire body of the page, and 2) use Javascript to either enable the display if not framed, or to bust out of the frame if framed Eventually this solution will probably be broken (if it’s not been broken already), but it appears to be the best solution that we have today. Unfortunately, Clickjacking prevention is a less-than-straightforward issue to resolve, but by combining a couple of different approaches you can overcome the problem with a fair amount of robustness. Note: The Stanford approach does not adequately support IE in all instances – here’s a post explaining the clickjacking prevention solution. References ­­­­­­­­­–––––––––––––––––––––––––––––––––––––– https://www.owasp.org/index.php/Clickjacking http://seclab.stanford.edu/websec/framebusting/ http://michael-coates.blogspot.com/2010/08/x-frame-option-support-in-firefox.html https://www.codemagi.com/blog/post/194