Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

[Bil Corry <bil@xxxxxxxxx>]

Arshan Dabirsiaghi wrote on 10/6/2008 10:37 AM: 
> Framebusting across current and legacy browsers is the only
> difficulty here. Here is some code from Giorgio Maone:
> 
>> try { if (top.location.host != self.location.host) throw "x"; }
>> catch(e) { window.open(location.protocol + "://" + location.host,
>> "_top") }
> 
> Clever code, not sure what the legacy support is but it doesn't look
> to utilize anything new enough to cause problems.


Giorgio offers up something a little simpler here:

-----
<script>if (top != self) top.location = location</script>

http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/
-----


And someone named "Jeremy" had an interesting idea for when JavaScript is disabled, overlay the entire page with a div that covers up the buttons/links/etc:

-----
<noscript><div style="position:absolute;left:0;top:0;z-index:99;width:10000;height:10000;">This page requires JavaScript</div></noscript>

http://ha.ckers.org/blog/20081007/clickjacking-details/#comment-87102
-----


So if you combine those ideas, you end up with:

	<script>if (top != self) top.location = location</script>
	<noscript><div style="position:absolute;left:0;top:0;z-index:999;width:10000px;height:10000px;background-color:black;color:white;">This page requires JavaScript</div></noscript>

As far as a "quick fix" goes, I think that does a decent job if you accept that non-JavaScript users will not be able to use your site (but even that restriction could be eased using referer, user preferences, etc).


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA