Clickjacking Prevention in Java

What is it and why should I care?
Clickjacking is a type of “Web framing” or “UI redressing” attack. In practice, that means:

1. Users (victims) are shown an innocuous, but enticing Web page (watching an online video is a good example)
2. Another Web page, which usually does something important (think “adding friends onto your social network”), is layered on top of the first page and set to be transparent
3. When users click on the Web page they see (the online video), they are actually clicking on the higher layered (framed) page that is transparent

This attack is clever, and there are some interesting specifics in its actual execution (for more detailed information, see the references at the end of this post). However, here I’m concerned only with preventing the attack.

What should I do about it?

There is still no perfect answer on how to prevent clickjacking, but things are getting better − especially as users upgrade to more modern browsers. Currently, prevention is based on a two-fold recommendation:

1. Use the X-Frame-Options HTTP header
2. Include framebusting code

The HTTP header is the more robust solution, although it requires a relatively modern browser. Fortunately, more users are slowly moving towards using modern browsers, so the situation is improving just because of that fact.

As for the framebusting recommendation, even though it is breakable, it should still be done. It certainly raises the bar against a successful attack. And while there are many options for framebusting code, I recommend a paper that the folks at Stanford put together on framebusting: http://seclab.stanford.edu/websec/framebusting/. In the paper, they have evaluated the current code in the wild, and then showed ways to break it. They have also proposed their own solution in the paper. Rather than including the code here, you can find it at the top of page 11 of the Stanford group’s PDF. The basic idea of their solution is to both:
1) use the style sheet to disable display for the entire body of the page, and
2) use Javascript to either enable the display if not framed, or to bust out of the frame if framed

Eventually this solution will probably be broken (if it’s not been broken already), but it appears to be the best solution that we have today.

Unfortunately, Clickjacking is a less-than-straightforward issue to resolve, but by combining a couple of different approaches you can overcome the problem with a fair amount of robustness.

Note: The Stanford approach does not adequately support IE in all instances – here’s a post explaining the solution.

References
­­­­­­­­­––––––––––––––––––––––––––––––––––––––
https://www.owasp.org/index.php/Clickjacking
http://seclab.stanford.edu/websec/framebusting/
http://michael-coates.blogspot.com/2010/08/x-frame-option-support-in-firefox.html
https://www.codemagi.com/blog/post/194

This entry was posted in Web Application Security and tagged , on by .

About johnmelton

John Melton is a Senior Application Security Researcher at WhiteHat Security. He is the lead of the Sentinel Source Java engine and RulePack R&D. Prior to joining WhiteHat Security, Melton worked both in software development and security engineering. Melton also volunteers his time to the Open Web Application Security Project (OWASP). Melton led the development of the AppSensor project while also contributing to ESAPI and several guides. When not working, John enjoys spending time with his wife and twin sons.