Industry Observations-Web Application Security

XFO Timing

This was an interesting realization. I was talking with Jeremiah Grossman the other day and it occurred to me, timing-wise we lucked out with clickjacking. Let me explain.

In 2008 not a lot of companies were protecting themselves using nonces (one time tokens) from things like CSRF. Nonces are the preferred method of protecting websites from CSRF. Of course, if the companies don’t use them then they’re vulnerable, so there’s no point in worrying about other exploits until companies start to use nonces. Clickjacking wasn’t a big deal at that time because so few of the big websites had started protecting themselves from CSRF at that point. It was only once banks and social networks integrated CSRF nonces into their applications that clickjacking become a practical attack to circumvent CSRF protection. That’s one of the reasons Jeremiah and I felt that it was good timing to release the vulnerability – as more companies switched to anti-CSRF nonces, clickjacking was bound to become a more practical exploit in the coming years – and since then a number of clickjacking worms have been created as a result.

At the time, Internet Explorer introduced something called X-Frame-Options, which prevents attackers from framing your website. It took a while but now it is supported in all major browsers. X-Frame-Options may not be the best security mechanism in the world because there are lots of places it can’t be used without breaking functionality, but in many ways it stopped the attack cold. However, this month an attack called Pixel Perfect Timing was released.

Pixel perfect timing relies on a timing attack, some tricky SVG filters, some JavaScript, and an iframe to pull in content that the attacker wants to read cross-domain. It’s a great idea, and the demos are impressive. It completely breaks the same origin policy. But timing wise we (the security community) lucked out. For a long time now the companies who care have had X-Frame-Options and have had a solution to this problem. If pixel perfect timing had been introduced 5 years ago we’d all be scrambling for a solution. So in some sense, clickjacking research helped lay the groundwork for fixing an exploit that wouldn’t surface for another half a decade. That’s often the way it is with security, but it is interesting nonetheless.