[Owasp-leaders] Clickjacking Cheat Sheet

Colin Watson colin.watson at owasp.org
Wed Nov 28 08:13:41 UTC 2012


Jim

This is a very welcome addition to the cheat sheet series. It may be
worth referencing the following papers for further reading:

   Clickjacking Attacks Unresolved
   https://docs.google.com/document/pub?id=1hVcxPeCidZrM5acFH9ZoTYzg1D0VjkG3BDW_oUdn5qc

   Busting Frame Busting: A Study of Clickjacking Vulnerabilities on
Popular Sites
   http://seclab.stanford.edu/websec/framebusting/framebust.pdf

Regarding "Defending legacy browsers", the example code requires the
use of inline JavaScript. This might not be compatible with a more
robust Content Security Policy header. I have used a linked JS file in
the header e.g.

   <script src="/resources/scripts/site.js" type="text/javascript"></script>

and in that file use the init() function to call something similar as
already presented. I don't suggest the following is optimal, or
currently matched to recent browsers. This dynamically adds the
"hidden" style as a header, and then changes that. It relies on the
timing of the page init event.

= /resources/scripts/site.js ==============

function start(){

	var fileref=document.createElement("link")
  	fileref.setAttribute("rel", "stylesheet")
	fileref.setAttribute("type", "text/css")
	fileref.setAttribute("href", '/resources/styles/noframe.css')
	document.getElementsByTagName("head")[0].appendChild(fileref)
	if (self == top) {
		document.documentElement.style.visibility = 'visible';
	}
	else {
		top.location = self.location;
	}
	
}


function init() {
    // quit if this function has already been called
    if (arguments.callee.done) return;

    // flag this function so we don't do the same thing twice
    arguments.callee.done = true;

    // kill the timer
    if (_timer) clearInterval(_timer);

    // do stuff
	start();
};

/* for Mozilla/Opera9 */
if (document.addEventListener) {
    document.addEventListener("DOMContentLoaded", init, false);
}

/* for Internet Explorer */
/*@cc_on @*/
/*@if (@_win32)
	document.write('<script id="__ie_onload" defer src=""><\/script>');
    var script = document.getElementById('__ie_onload');
    script.onreadystatechange = function() {
        if (this.readyState == "complete") {
            init(); // call the onload handler
        }
    };
/*@end @*/

/* for Safari */
if (/WebKit/i.test(navigator.userAgent)) { // sniff
    var _timer = setInterval(function() {
        if (/loaded|complete/.test(document.readyState)) {
            init(); // call the onload handler
        }
    }, 10);
}

/* for other browsers */
window.onload = init;

= /resources/styles/noframe.css ==============

html {
	visibility:hidden;
}

=======================================

And I think it may not be compatible with a strict CSP header
implemented as "X-WebKit-CSP" in Chrome & Safari. I am sure this could
be improved by someone more able than me, but in any case I think we
should make example code CSP-friendly.

Colin


On 25 November 2012 23:48, Jim Manico <jim.manico at owasp.org> wrote:
> The JS/CSS Clickjacking defense is made for legacy browsers that do not
> support X-Frame-Option headers.
>
> Per https://www.codemagi.com/blog/post/194 it looks like IE6 and FF3x are
> supported.
>
> Aloha,
> Jim
>
>
>> Looks good - has anyone tried the JavaScript to make sure it works?
>>
>> thanks,
>> Andrew
>>
>> On Mon, Nov 26, 2012 at 9:10 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>> Leaders,
>>>
>>> I took the Clickjacking Defense Cheatsheet out of draft mode. Can you
>>> take a
>>> look?
>>>
>>> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
>>>
>>> Your feedback and wiki edits are always appreciated.
>>>
>>> Aloha,
>>> Jim Manico
>>> @Manicode
>>> OWASP Volunteer
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list