Does Your Browser Prevent Clickjacking?

Clickjacking is a relatively new Web exploit that has gained some additional attention in recent days thanks to Microsoft's IE8 browser.

One of the features in the IE 8 Release Candidate 1 includes technology that is supposed to help prevent Clickjacking.

The claim has one of the principal discovers of Clickjacking raising some questions over the problem and how to prevent it with browsers.

While Clickjacking attacks have not yet been widely reported in the wild, the attack vector represent an area of risk for Web security. With Clickjacking, a user inadvertently clicks on a hidden item when they think they are actually clicking on a legitimate button. The IE 8 Clickjacking protection uses an approach that is intended to prevent a hidden button from appearing inside of a Frame element on a Web page.

"It's incremental," Jeremiah Grossman, founder of WhiteHat Security, told InternetNews.com. "While the feature provides Web developers a javascript-less opt-in option, unfortunately users have no way to defend themselves. The solution also isn't cross-platform at this point."

Grossman is credited as one of the researchers who discovered the Clickjacking attack vector. In November, he co-hosted a Black Hat webinar with Microsoft Program Manager Eric Lawrence on the topic of Clickjacking. According to Grossman, after the conference, and several conversations with the IE Security team, he felt that Microsoft's team had a solid understanding of Clickjacking.

"From that point it was up to them to figure out safeguards," Grossman said.

Microsoft's Lawrence posted a blog entry on Tuesday, which described how IE 8 implements safeguards against Clickjacking. The core of IE 8's Clickjacking protection revolves around enabling Web developers to specify and restrict which content on their site can't be broken out and framed by another site. It's a technique known as frame-busting and can also be implemented by developers using javascript code on their sites that restrict frame usage. The IE 8 approach is a different method for frame busting.

"Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed," Lawrence blogged. "If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame."

The general idea is that if Web site developers block their content from being framed by another site, it cannot be used as part of a clickjacking attack. A Clickjacker could potentially take a login element from one site and hide it under a different element on a different site.

A Feature For All Browsers?

In Grossman's view, anti-clickjacking approaches should be a standing browser feature, despite some hurdles that may present.

"The challenge here for the browser vendors isn't so much the motivation to do something about clickjacking, but more trying to figure out what exactly TO do," Grossman argued.

"It's an extremely difficult problem to solve effectively. The Firefox plugin NoScript has shown powerful security features are possible to add, however it's unclear if the non-power user populace will embrace some additional inconvenience for security."

This article was first published on InternetNews.com. To read the full article, click here.