This is part 2 in the series on Clickjacking. Read part 1 of this series here.
Why does this Matter?
While the Facebook attack shown in our previous blog entry is more of a nuisance, it still illustrates the potential danger of clickjacking within the context of social networks. This attack demonstrates how a smart attacker can use social channels to spread malware by spoofing trusted users within the social group. More importantly, attacks of this sort can quickly morph into more serious attacks when combined with more sophisticated techniques such as a Cross-Site Request Forgery (CSRF) attack or password stealing Trojans. Imagine if an attacker injects a clickjacking script onto a legitimate Web site that tricks the user into submitting a forged request. Because the action is generated by the victim during a valid session, it is extremely difficult for the application to detect that the request was spoofed.
Clickjacking Prevention Must Start at the Client Browser
- Mozilla Firefox has a NoScript Add-On that helps prevent scripting from untrusted domains
- Microsoft IE, Apple Safari, and Google Chrome have implemented a HTTP header, X-FRAME-OPTIONScheck to allow the host application to specify if they allow Framing.
While these provide a step in the right direction, it will take some time before this solves clickjacking problems due slow adoption and/or patching by developers and the general public.
Server-Side Solutions that Can Limit the Risk of Clickjacking
Until all browsers fix clickjacking vulnerabilities, organizations need to focus on prevention and mitigation. Some steps can be done to prevent clickjacking:
1. Install a Spam & Virus Firewall Clickjacking starts by tricking users into visiting compromised sites. One major vector of attack is through spam or spoofed emails. Blocking spam is key to stopping clickjacking at the source.
2. Filter Web Traffic and Block Malicious Sites Web Filters can block users from accessing dangerous sites that may contain clickjacking techniques.
3. Protect your Web Applications from Clickjacking Scripts Web Application Firewalls can scrub all content for malicious scripts and deny attackers from injecting clickjacking scripts onto your Web site.
4. Protect your Web Application Forms Web Application Firewalls can inject Nonce (tokens) into HTTP forms to limit exposure from unsolicited form updates launched by clickjacking attempts. Application Firewalls can also validate form parameter inputs to prevent malicious input from being sent to the Web Servers.
5. Periodically Log-out Users Web applications that keep users logged in (like Facebook) are vulnerable to forged requests launched by clickjacking. Users should be periodically logged out to limit chances for exposure.
Clickjacking is a challenging client-side vulnerability that needs to be solved by the Web Browser platforms. The major Web platform vendors are already working on clickjacking solutions and organization must ensure that their users are installing the latest patches as they are released. Finally organizations can limit the scope of damage and windows of opportunity for clickjacking to take place by applying preventative countermeasures through the use of Web Application Firewalls, Spam & Virus Firewalls, and/or Web Filters.