Exploit Wars I - The Clickjackers Strikes back


Clickjacking, a well known user interface malicious redressing technique discovered in 2008, is still rampant in modern websites!

I have been looking at security exploits recently, such as a technique called Clickjacking. As any budding developer when I find out a new exploit I test it on one of the websites I go on.

Enjin.com

Well put quickly, it worked!. Which suprised me. Click jacking is quite an old browser exploit.

In simple detail (Check Wikipedia for better detail ) Clickjacking is

A webpage is set up which fools the users to enter or click something on the [Enjin] website without them knowing (with the use of transparent iFrames).

It works by the user thinking they are clicking on the button behind the iFrame but in reality they are clicking on the transparent iFrame at that certain location.
This can be used to toggle settings, or if you went more advanced with this you could block out all of the iFrame except a textbox and tell them to type certain text.
This could be used to delete someone account for twitter by tricking them to click a delete account permanently button, and they would even know. Though in most modern websites this is fixed.

Now there are various techniques to stop this redressing of iframes which I will outline later. Though as far as enjin was concerned:

This exploit allows attackers to:

  • Change the user’s account settings inc.
    • Display name
    • Gender
    • Location
    • Date of Birth
    • Timezone
    • Quote
    • Biography
  • Change the user’s notification settings
  • Make the user leave an enjin website (community)
  • Create a new enjin website (community) under the user’s account
  • Post messages to their wall under the user’s account
  • Post message to a thread under the user’s account
  • If so vain, upvote one’s thread post
  • Log the user’s account out

… with just a click from the user!

I made a very basic proof of concept here: JsFiddle
I also have a much more FUN proof of concept here Fun PoC

To fix this problem I would recommend a mix of techniques, each supplemental in their own regard, though to start I would recommend a technique called Frame Breaking

Frame breaking consists of the webpage detecting when it is within an iFrame and redirecting the browser to the appropriate address or by displaying a blank page in the iFrame.

This can be done by headers or by JavaScript code, with a bit of CSS thrown in sometimes, (check the OWASP page for appropriate code snippets). One example is below:


// Styling

<style>
    html {
        display:none;
    }
</style>

// Scripts

<script>
    if(self == top) {
        document.documentElement.style.display = 'block';
    } else {
        top.location = self.location;
    }
</script>

The above code first hides all content on the page; then it checks if the current window (self) is the topmost browser window (top), if so then display the content on the page, if not then make the page redirect to the usual web address of the webpage.


End result is this code stop people embedding your website on their pages and thereby stops clickjacking

You could take other actions on the discovery of being within an iFrame: like requiring all account changes needing to be verified by password or a traditional window confirm box.

N.B. An additional way of preventing your website being embedded in a website is using the X-Frame-Options. It is un-standardised-and-not-supported-by-some-browsers; which is why I didn’t mention it above. Though it may serve as an additional supplement to the above method; rather than a replacement.

Fair Use: When I discovered this exploit I immediately contacted enjin support with a ticket. They only recently fixed the problem (as I have been told, I can not confirm it) and I gave them fair warning about a post about this topic.

EDIT: Now the frame-anscestors directive can be used to replace the x-frame-options (which is standardised).