Академический Документы
Профессиональный Документы
Культура Документы
Abstract
Web framing attacks such as clickjacking use
iframes to hijack a user’s web session. The most
common defense, called frame busting, prevents
a site from functioning when loaded inside a
frame. We study frame busting practices for the
Alexa Top-500 sites and show that all can be cir-
cumvented in one way or another. Some circum-
ventions are browser-specific while others work
across browsers. We conclude with recommen-
dations for proper frame busting. Figure 1: Visualization of a clickjacking attack
on Twitter’s account deletion page.
1
Our contribution. We begin with a survey of of the Top-500 uses this header. All other sites
frame busting code used by the Alexa Top-500 rely purely on JavaScript for frame busting.
sites which includes a good mixture of banks, so-
cial networks, online merchandise, trading, and
gaming. We also surveyed all top US banks, as
these are obvious high-risk targets for clickjack-
2 A Survey of Frame busting
ing. Section 2 describes the semi-automated tool Code
we used to locate and extract the frame bust-
ing code. Our survey shows that an average of Many of the Top-500 sites contain a significant
3.5 lines of JavaScript was used while the largest amount of JavaScript, some inlined and some
implementation spanned over 25 lines. The ma- dynamically loaded. Manually filtering through
jority of frame busting code was structured as a this code looking for frame busting snippets
conditional block to test for framing followed by can be difficult. This is further exacerbated
a counter-action if framing is detected. by JavaScript obfuscation, predominantly source
code packing, used by many big sites.
% of web site To locate frame busting code we used a Java-
Top 500 14% based browser emulator called HTMLUnit [14].
Top 100 37% As a headless emulator it can be used for limited
Top 10 60% debugging of JavaScript. This gave us the ability
to dynamically frame pages and break at the ac-
Table 1: Frame busting among Alexa-Top sites
tual script used for frame busting. Although this
tool was of great help, some manual labor was
still required to de-obfuscate and trace through
A majority of counter-actions navigate the
packed code. Of the Top-500 sites, many do not
top-frame to the correct page. A few erase
frame bust on their front page. Instead, they
the framed content, most often through a
only frame bust on a login page or on a password
document.write(’ ’). Some use exotic con-
reset page. Some of the manual labor came from
ditionals and counter actions. We describe the
trying to locate an actual a subpage deploying
frame busting code we found in the next sections.
frame busting.
Table 1 summarizes frame busting among Alexa-
Top 500 sites. Clearly frame busting is far from
Popular frame busting code. Most sites
ubiquitous suggesting that clickjacking attacks
we surveyed use frame busting code described
are still overlooked by major web sites.
in Tables 2 and 3. Some sites deploy multiple
The remainder of the paper is organized as counter-actions and conditionals as backup. Five
follow: In Section 2 we describe how we did our sites additionally relied on document.referrer
survey. In Section 3 we turn to attacks on frame to test for framing. More exotic frame busting
busting code. We show that all currently de- code is discussed in Section 4.
ployed code can be circumvented in all major
browsers. We present both known and new tech-
niques. In Section 4 we discuss attacks that tar-
get exotic frame busting code at specific websites 3 Generic Attacks
including social networking and retail sites. In
Section 5 we discuss strategies for safer frame Before discussing more exotic frame busting, we
busting. We also discuss an alternate approach first describe a number of attacks on the basic
to frame busting based on the X-FRAME-OPTIONS methods in Tables 2 and 3. We summarize these
header. Our survey shows that only three sites attacks in Table 4 at the end of the section.
2
Common frame busting code
4
var p r e v e n t b u s t = 0 sub-sets of the JavaScript loaded can is still func-
window . o n b e f o r e u n l o a d = tional (inline or external) and cookies are still
f u n c t i o n ( ) { k i l l b u s t++ } available, this attack is effective for click-jacking.
setInterval ( function () {
i f ( k i l l b u s t > 0) {
k i l l b u s t −= 2 ; Example. Victim frame busting code:
window . top . l o c a t i o n =
’ h t t p : / / no−c o n t e n t −204.com ’ <s c r i p t >
} i f ( top != s e l f ) {
} , 1); top . l o c a t i o n= s e l f . l o c a t i o n ;
<i f r a m e s r c=” h t t p : / /www. v i c t i m . com”> }
</ s c r i p t >
Attacker:
<i f r a m e s r c=
” h t t p : / /www. v i c t i m . com/? v=<s c r i p t > i f ’ ’ >
The XSS filter will match that parameter
<script>if to the beginning of the frame bust-
ing script on the victim and will consequently
disable all inline scripts in the victim page, in-
cluding the frame busting script.
5
the framed page will function properly, suggest- action taking place, thus limiting the useful-
ing that the attack on Google Chrome is more ness of the referrer header for “friendly framing.”
effective than the attack on IE8.
6
IE7 IE8 FF3 Google Chrome 5 Safari 4
JavaScript disabling - Restricted Zone [15] X
JavaScript disabling - Sandbox Attribute X
JavaScript disabling - designMode [22] X X
JavaScript disabling - XSS Filter [20] X X
location clobbering [23] X X
onBeforeUnload - 204 Flushing [7] X X X
parent.location double framing X X X X X
poorly written frame busting X X X X X
7
3.8 Sandbox attribute 4 Site Specific Attacks
Recently, browser vendors have begun stan- While most websites rely on the popular frame-
dardization of Internet Explorer’s proprietary busting code snippets presented in the previous
restricted zone feature in the form of a new sections, some prominent websites choose to de-
sandbox attribute on the iframe tag. This at- velop their own techniques. In this section, we
tribute has been specified in HTML5 [12] and discuss some of the most interesting defenses we
is currently implemented in the Google Chrome found during our survey and present techniques
browser. This feature can be used to disable specifically designed to defeat them.
JavaScript in the same way as the restricted
zone; however, because cookies are delivered in 4.1 Shedding a Ray of Light in the
the subframe, clickjacking attacks can take ad-
Darkness
vantage of existing sessions that the user has es-
tablished. Facebook.com frame-busting approach is radi-
cally different from popular techniques. Instead
of busting out of its the frame, Facebook inserts
3.9 Design mode a gray semi-transparent div that covers all of the
content when a profile page is framed (see Fig-
Stone [22] showed that design mode can be
ure 5(a)). When the user clicks anywhere on the
turned on in the framing page (via docu-
div, Facebook busts out of the frame. This ele-
ment.designMode), disabling JavaScript in top
gant approach allows content to be framed,while
and sub-frame. Again, cookies are delivered to
blocking clickjacking attacks. The vulnerable
the sub-frame. Design mode is currently imple-
version of the code, that was patched after we
mented in Firefox and IE8.
reported the attack to Facebook, used to work
as follows:
3.10 Mobile Sites i f ( top != s e l f ) {
window . document . w r i t e ( ’ ’<d i v s t y l e=
Many of the top sites serve mobile alternatives ’ background : b l a c k ; o p a c i t y : 0 . 5 ;
f i l t e r : alpha ( opacity = 5 0 ) ;
to their main pages. Served at sub-domains
p o s i t i o n : a b s o l u t e ; top : 0px ; l e f t : 0px ;
such as m.example.com or mobile.example.com, width : 9999 px ; h e i g h t : 9999 px ;
these sites often deliver full or significant subsets z−i n d e x : 1000001 ’
of functionality relative to their “real” counter- o n C l i c k= ’ top . l o c a t i o n . h r e f=window . l o c a t i o n . h r e f ’>
</div> ’ ’ ) ;
parts. Unfortunately, most sites who framebust
}
on their primary domain do not framebust their
mobile sites. In fact, we found only one that When framed, the code inserts a black div of
did out of our entire dataset. Only a minimal dimension 9999x9999px with 50 percent opacity
set of sites actually do discretionary rendering positioned at 0, 0. Since all Facebook’s con-
by user-agent, enabling us to frame mobile in- tent except this div is centered in the frame, this
terfaces in all browsers just like we would their framing defense can be defeated by making the
regular site. To make matters worse, many sites enclosing frame sufficiently large so that the cen-
do not differentiate sessions between the regular ter of the frame is outside the dark div area. The
and the mobile site; that is, if you are logged in at content naturally flows to the center of the frame
www.example.com you are also logged in at mo- and is shown to the user without the dark over-
bile.example.com. This enables the attacker to lay.
clickjack the mobile site (on a desktop browser) The framing code is as follows and the result-
and gain control of a fully functional site. ing page is shown in Figure 5(b):
8
(a) Facebook Black Layer (b) Facebook Black Layer removed
9
By design the code allows Myspace to be framed • Problems with multi-domain sites.
by Google images. Google images, however, The current implementation does not allow
does not use frame busting. Consequently, an the webmaster to provide a whitelist of do-
attacker can frame Google images and then mains that are allowed to frame the page.
cause Google images to frame Myspace (e.g. While whitelisting can be dangerous (see the
by issuing a specific Google search query that MySpace example), in some cases a webmas-
leads to a Myspace page). Since Myspace ter might have no choice but to use more
sees a referrer from Google images it does not than one hostname.
attempt to navigate away. The result is shown
• Proxies. Web proxies are notorious for
in Figure 6.
adding and stripping headers. If a web
proxy strips the X-FRAME-OPTIONS header
This example shows that trust relationships in
then the site loses its framing protection.
the context of frame busting can be dangerous.
A partner site that does not frame bust can cause X-FRAME-OPTIONS has been quickly adopted
the trusing page to be framed by an attacker. by browser vendors; every browser except Fire-
fox supports it in the latest version [13], and it
5 Frame busting securely is supported by the NoScript Firefox extension
as well. Adoption by web sites has been slower;
We now turn to defenses and discuss how a web- a recent survey showed that only 4 out of 10,000
site can protect itself from being framed. We first top-sites use it[17]. This observation is consis-
review relevant client-side features and then sug- tent with our finding: we found only three sites
gest a JavaScript-based frame busting approach using it during our survey.
that resists current attacks.
5.2 Content Security Policy
5.1 X-FRAME-OPTIONS Content Security Policy [19] is a Mozilla initia-
Microsoft introduced in Internet Explorer 8 a tive to provide to web developers with a way
specific defense against clickjacking and frame to specify how content interacts on their web
busting called X-FRAME-OPTIONS, an HTTP sites. It is scheduled for deployment in Firefox
header sent on HTTP responses. This header 3.7. As with X-FRAME-OPTIONS, the policy is
can have two different values: DENY and delivered via an HTTP response header. It is
SAMEORIGIN. When DENY is provided, IE 8 will more general than X-FRAME-OPTIONS, allowing
not render the requested site within a frame con- the website owner to enforce other types of
text. If the value SAMEORIGIN is used, IE will content interactions. For example, it allows sites
block the page only if the origin of the top level- to restrict script sources to specific origins.
browsing-context is different from the origin of
the content containing the directive. While this To prevent a site from being framed, a web-
mechanism is highly effective, there are three master can use the frame-ancestors directive
main limitations to this approach: to specify which origins are allowed to embed the
page into a frame or an iframe. Therefore, un-
• Per-page policy specification. The pol- like X-FRAME-OPTIONS the webmaster can spec-
icy needs to be specified for every page, ify third party web sites that are allowed to em-
which can complicate deployment. Provid- bed the iframe. CSP does suffer from the other
ing the ability to enforce it for the entire limitation of X-FRAME-OPTIONS: it does not pro-
site, at login time for instance, could sim- vide a way to enforce a site wide policy. It has
plify adoption. not yet been adopted by sites as it is still in beta.
10
<s t y l e >
body { d i s p l a y : none ; }
</ s t y l e >
<s c r i p t >
i f ( s e l f == top ) {
document . getElementsByTagName ( ” body ” ) [ 0 ] . s t y l e . d i s p l a y = ’ b l o c k ’ ;
} else {
top . l o c a t i o n = s e l f . l o c a t i o n ;
}
</ s c r i p t >
5.3 Using JavaScript the code injected on the top of the page. With
Firefox’s YSlow and Chrome’s Speed Tracer, we
Until X-FRAME-OPTIONS or another browser- were not able to identify any significant decreases
based defense is universally deployed, web sites in render or load time.
that wish to defend against clickjacking have
We emphasize that this code is not proven to
little choice but to use JavaScript. We present
be a secure approach to frame busting. As we
in Figure 7 what we think is currently the best
have shown throughout the paper, many bugs
JavaScript code to defend against framing.
and exploits are available for an attacker to tar-
get JavaScript frame busting, and there are likely
This code works as follows: When the page many more. Our snippet might already be vul-
is loaded, the style sheet hides all content on nerable to unknown attacks. To our knowledge,
the page. If JavaScript is disabled, the page will it is the best current approach. Variants of this
remain blank. Similarly, if the page is framed, approach has been blogged about before [16] [8].
it will either remain blank or it will attempt to
frame bust. If the frame busting code is blocked,
say by hooking the unload event or doing a 204 6 Related Work
flushing attack, the page will remain blank. The
script only reveals the document’s contents if the The first mention of a negative impact of trans-
page is not running in a frame. Note that users parent iframes is a bug report for the Mozzila
who have JavaScript disabled, via browser set- Firefox browser from 2002 [21]. The term click-
ting or NoScript, will not be able to use the site. jacking [10], was coined by Hansen and Gross-
Designers might want to have a fallback mecha- man in 2008. Clickjacking differs from phish-
nism if such is the case. ing [9] because it does not entice the user to en-
In our example the entire page is initially in- ter secret credentials into a fake site. Instead, the
visible, but this defense can be more fine grained user must enter their credentials into the real site
by having sub-elements be invisible instead. This to establish an authenticated session. The attack
way, a user can be presented with a message if can proceed until the user’s session expires.
JavaScript is disabled. However, enabling any Clickjacking can be considered an instance of the
subset of functionality beyond that simple mes- confused deputy problem [5]. The term “con-
sage is not advised. fused deputy” was coined by Hardy in 1988 [11].
We tested a handful of load-heavy sites with Another example of the confused deputy prob-
11
a wide variety of sites. We found that even
sites with advanced clickjacking defenses, such as
Facebook and MySpace, could be defeated using
targeted attacks. After reviewing the available
defenses, we propose a JavaScript-based defense
to use until browser support for a solution such
as X-FRAME-OPTIONS is widely deployed.
Acknowledgments
This work was supported by NSF and an AFOSR
MURI grant.
References
[1] Marco Balduzzi, Manuel Egele, Engin
Figure 6: Because MySpace whitelists Google in Kirda, Davide Balzarotti, and Christopher
the document referrer, an attacker’s site can use Kruegel. A solution for the automated de-
Google Image search to launch clickjacking at- tection of clickjacking attacks. In ASI-
tacks on MySpace. ACCS’10, 2010.
12
[7] coderrr. Preventing frame busting and org/appsecstreetfighter/2009/10/15/
click jacking (ui redressing). http: adoption-of-x-frame-options-header/,
//coderrr.wordpress.com/2009/02/13/ October 2009.
preventing-frame-busting-and-click-
jacking-ui-redressing, 2008. [18] Giorgio Maone. Hello ClearClick,
goodbye clickjacking!, October 2008.
[8] coderrr. Preventing frame busting http://hackademix.net/2008/10/08/
and click jacking (ui redressing), 2009. hello-clearclick-goodbye-clickjacking/.
http://coderrr.wordpress.com/2009/
02/13/preventing-frame-busting-# [19] Mozilla. Secure content policy.
and-click-jacking-ui-redressing/. https://wiki.mozilla.org/Security/CSP/Spec,
March 2010.
[9] Rachna Dhamija and J. D. Tygar. The
battle against phishing: Dynamic security [20] Eduardo Vela Nava and David Lindsay. Our
skins. In SOUPS ’05: Proceedings of the favorite xss filters and how to attack them,
2005 symposium on Usable privacy and se- July 2009.
curity, pages 77–88, 2005. [21] Jesse Ruderman. Bug 154957 - iframe
[10] R. Hansen. Clickjacking. content background defaults to transpar-
http://ha.ckers.org/blog/20080915/clickjacking/. ent. https://bugzilla.mozilla.org/
show_bug.cgi?id=154957, June 2002.
[11] Norm Hardy. The confused deputy. In Op-
[22] Paul Stone. Next generation clickjack-
erating Systems Reviews, 1998.
ing. https://media.blackhat.com/bh-eu-
[12] Ian Hickson et al. HTML5 sandbox 10/presentations/Stone/BlackHat-EU-
attribute, 2010. http://www.whatwg. 2010-Stone-Next-Generation-Clickjacking-
org/specs/web-apps/current-work/ slides.pdf, 2010.
#attr-iframe-sandbox.
[23] Michal Zalewski. Browser security hand-
[13] David Lin-Shung Huang, Mustafa book. http://code.google.com/p/
Acer, Collin Jackson, and Adam browsersec/wiki/Part2#Arbitrary_
Barth. Browserscope security tests. page_mashups_(UI_redressing).
http://www.browserscope.org/.
13