Update

If you did not yet, you should upgrade to NoScript 1.8.2.1 or above, because of the new ClearClick technology, the most effective anti-Clickjacking protection available.

Looks like Clickjacking is the web-security buzzword of the week (month?), since Robert "RSnake" Hansen and Jeremiah Grossman decided to cancel their OWASP talk, drawing an aura of mystery around the whole issue and its magnitudo.

Nevertheless some info and speculations have been percolating, and even if the precise details of the attacks proposed by those two researchers are still embargoed, especially because of the serious and not necessarily obvious implications worrying Adobe, a certain awareness about the general technique and the possible countermeasures does circulate now. In Jeremiah's and RSnake's words:

Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. [...]
Say you have a home wireless router that you had authenticated prior to going to a [malicious] web site. [The web site] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.

In other words, the attack is thrown by a malicious web page embedding objects, possibly from a different site, such as framed documents or plugin content (Flash, Silverlight, Java...) which may lead to unwanted results if clicked by the current user (e.g. a "Delete all messages" button in your webmail or an advertisement banner in a click fraud scheme). Using DHTML, and especially CSS, the attacker can disguise or hide the click target in several ways which go completely undetected by the user, who's easily tricked into clicking it in a more or less blind way.

JavaScript increases the effectiveness of these attacks hugely, because it can make our invisible target constantly follow the mouse pointer, intercepting user's first click with no failure. We can however imagine a few less effective but still feasible scriptless scenarios, e.g. covering the whole window with hidden duplicates of the target or overlaying an attractive element of the page, likely to be clicked (e.g. a game or a porn image link), with a transparent target instance.
Nevertheless, as RSnake puts it,

[...] the best defense against clickjacking attacks is to use Firefox with the NoScript add-on installed. Users running that combination will be safe, said Hansen, against “a very good chunk of the issues, 99.99 percent at this point.”

That's true because attacking from an untrusted page not allowed to run JavaScript is highly impractical, but also because NoScript by default prevents Java, Silverlight and especially Flash content, which seem so far the most dangerous clickjacking targets, from being embedded on non-whitelisted pages.

But what about that damned 0.01%? That's given by framed documents, most notably IFRAMEs. For a live and benign example of what you can do with IFRAME-based clickjacking, look at NoScript's "install now!" widget, which gets dynamically overlayed by the addons.mozilla.org install page: they're positioned so that if you click on the orange button you automatically install from AMO, skipping the security notification bar you would get on any other site. This "clickjacking" of mine has been there for a long time (since AMO V3, IIRC), and it heavily relies on JavaScript.

But even if an IFRAME-based attack was carefully crafted to work without JavaScript, NoScript would still provide effective protection, scoring a perfect 100% by RSnake's standards. You just need to enable the Plugins|Forbid <IFRAME> option, and cross-site IFRAMEs will be blocked by default on untrusted pages: they will need a confirmation to be activated, therefore "blind clicks" become impossible. Zone 365 and Hardware Forums created a short video tutorial about this setting. If you want to be protected even against unlikely attacks thrown from a trusted site included in your whitelist, check Plugins|Apply these restriction to trusted sites as well: embedded objects (plugin content and frames) get blocked on every site, but you can enable any of them on the fly by clicking on its placeholder.

A final recommendation is reading this Michal Zalewski's contribution, which covers the IFRAME case only but is very generous with mitigation proposals, both for web developers and browser vendors: by the way, his browser fix proposal #4 is almost identical to current NoScript's Forbid <IFRAME> option, and simpler variants of proposal #3 are being explored as default features in NoScript development builds since version 1.8.1.7.

43 Responses to “Clickjacking and NoScript”

  1. #1 Mic says:

    Just install noscript and noticed that

    Options -> Plugins -> Forbid <IFRAME>

    is unchecked ?

    Is it my something that I've done during installation or your advised default to set IFRAME loose :)

  2. #2 voracity says:

    Perhaps you should create a NoBrowser extension. I'm pretty sure that would be impenetrable.

  3. #3 Jesse Ruderman says:

    Disabling third-party IFRAMEs (and OBJECTs?) seems like overkill compared to disabling third-party cookies.

  4. #4 James says:

    That's pretty sneaky with the transparent iframe, I wonder if that's all clickjacking is. Of course it breaks if you use middle click button to activate the autoscroll feature, as the iframe contents scrolls and the fake link is no longer aligned.

  5. #5 James says:

    Also, a pretty easy way to prevent it would be to block people with an unknown referrer HTTP header. Then the only people at risk would be those who block the referrer header.

  6. #6 Clickjacking | La Comunidad DragonJAR says:

    [...] Product Security Incident Response Team (PSIRT) Clickjacking: ¿un secreto a voces? Clickjacking Clickjacking and NoScript Tags: Click • Clickjacking • Fraude • Navegadores • Vulnerabilidad Si [...]

  7. #7 Giorgio says:

    @Mic:
    Forbid <IFRAME> is not checked by default, as the FAQ and should be clear from my statement "You just need to enable..." and the linked video explaining how to enable it.

    @Jesse Ruderman:
    cookies are not the only mean to authenticate, and you can do pretty nasty thing also without "authentication", as Adobe will tell you.
    RequestRodeo is a nice concept, though, even if kuza55 found some ways to abuse it, and I'm working to something similar too.
    Furthermore, NoScript blocks 3rd party objects embedded on untrusted sites or originating from untrusted sites, providing an easy mean to enable them individually (click on placeholder) or as a whole (Blocked Objects menu). Even if you check Apply these restrictions to trusted sites as well, it works much like FlashBlock, but more reliably.
    Finally, as I said development builds are exploring mitigation measures which don't require object blocking, such as forcing opacization of 3rd party objects or disabling clicks on obstructed/transparent embeddings.

    @James:
    it doesn't break if the attacker doesn't want it to break and can use JavaScript. "Blocking people with an unknown referrer HTTP header" is does not help at all here: the referrer for the nasty action is the one of the page where the legitimate trigger is placed.

  8. #8 buzz says:

    hackademix.net » Clickjacking and NoScript

    Συμπλήρωμα στο αποκάτω

  9. #9 DaboBlog - Cibercultura | Seguridad | GNU/Linux | Redes | Mac OS X | CMS| Opinión | Por David Hernández (Dabo) says:

    [...] una vez habiendo visto como se explota esta vulnerabilidad, (viene a calificarla como devastadora) deja una opinión en su blog nada [...]

  10. #10 Clickjacking » Sergio Hernando says:

    [...] de mucha especulacin, slo tenemos, como informacin destacable, la opinin de Zalewski y la del creador de NoScript (que parece no ayudar en este caso). Hay ms opiniones y noticias a lo largo y ancho de la [...]

  11. #11 Hugo says:

    Giorgio: If the security option is disabled by default - it will never be enabled.

    The same goes for HTTPS SECURE cookies protection.

  12. #12 Giorgio says:

    @Hugo:
    you're right about Forbid IFRAME, and that's why I tried to give it as much publicity as possible.
    That said, current NoScript dev builds already contain specific anti-clickjacking countermeasures which work by default, no matter what you do with IFRAMEs.
    Since it's a work in progress which is planned to go in a stable release by the end of this week, I'm gonna write a post with juicy technical details when this is done.

    Regarding Automatic Secure Cookies Management, I'm leaving that disabled for the time being because of the Ebay debacle of its 1st version, but I can tell you current implementation (1.8.1.5 and above) is working very well (with no show-stopper side effects) for people who are testing it, therefore I'm pretty confident it can be re-enabled by default in version 1.9 or sooner.

  13. #13 The WHATWG Blog » Blog Archive » This Week in HTML 5 - Episode 7 says:

    [...] that researchers have dubbed "clickjacking." To understand it, start with Giorgio Maone's post, Clickjacking and NoScript. Giorgio is the author of the popular NoScript extension for Firefox. In its default configuration, [...]

  14. #14 Tom says:

    Would it be possible to write a greasemonkey extention that could disable iframes on non-whitelisted sites, too? by, say, deleting the src attribute?

  15. #15 Alerta para usuarios: Clickjacking « Mundo Binario says:

    [...] Clickjacking and NoScript [...]

  16. #16 Giorgio says:

    @Tom:
    Yes, using GreaseMonkey to disable IFRAMEs would be possible, but quite unreliable and very impractical because you wouldn't have an easy mean to selectively enable them back if needed, as you have in NoScript instead (just click on their placeholders).
    By the way, the NoScript Options|Plugins|Apply these restrictions to trusted sites as well is made exactly for this.

  17. #17 hackademix.net » Clickjacking and Other Browsers (IE, Safari, Chrome, Opera) says:

    [...] During the past few days I’ve been repeatedly asked the same question: Is there anything that users of IE, Chrome and other browsers (who cannot use NoScript) can do to protect themselves from clickjacking? [...]

  18. #18 Ajaxian » This Week in HTML 5: Clickjacking says:

    [...] have dubbed “clickjacking.” To understand it, start with Giorgio Maone’s post, Clickjacking and NoScript. Giorgio is the author of the popular NoScript extension for Firefox. In its default configuration, [...]

  19. #19 Ajax Girl » Blog Archive » This Week in HTML 5: Clickjacking says:

    [...] have dubbed “clickjacking.” To understand it, start with Giorgio Maone’s post, Clickjacking and NoScript. Giorgio is the author of the popular NoScript extension for Firefox. In its default configuration, [...]

  20. #20 Network Security Podcast » Blog Archive says:

    [...] Clickjacking, clickjacking, and more clickjacking. [...]

  21. #21 • Link Roundup - 09/08 Blog Archive • nuke it dot org says:

    [...] - Clickjacking hackademix.net - Clickjacking and NoScript hackademix.net - Clickjacking and Other [...]

  22. #22 Javascript News » Blog Archive » This Week in HTML 5: Clickjacking says:

    [...] have dubbed “clickjacking.” To understand it, start with Giorgio Maone’s post, Clickjacking and NoScript. Giorgio is the author of the popular NoScript extension for Firefox. In its default configuration, [...]

  23. #23 Haukurod.net» Blog Archive » Meira um Clickjacking / Smelligosan says:

    [...] skilaboð eru fengið lánuð frá hackadmix.net síðunni og þar er hægt að lesa alla greinina sem fylgir þessum [...]

  24. #24 Paolo says:

    Hi Giorgio,
    what do you think about this: http://www.0x000000.com/index.php?i=316 ?

  25. #25 Giorgio says:

    @Paolo:
    as I said here, latest NoScript development builds do not depend on frames being disabled for providing clickjacking protection. Embedded objects, including "generic incusions" through the OBJECT element are forcibly made opaque on untrusted sites, therefore you can't click them by accident.
    This protection, already effective, is being improved to prevent any form of user interaction with embedded documents which are partially obstructed, i.e. Zalewski proposal #4, and will go in a stable release (1.8.2, temptatively) by the end of this week.

  26. #26 Paolo says:

    OK, thanks for explanation

    PS
    sei il migliore!

  27. #27 Giorgio says:

    @Paolo:
    I just published a post dealing with Ronald's finding and explaining the new specific anti-clickjacking features, you may be interested.

    PS
    grazie, mi fai arrossire! :)

  28. #28 Clickjacking, ¿el mayor fallo de seguridad en navegadores? says:

    [...] Hackademix y [...]

  29. #29 Tom says:

    My spouse is a dye in the wool IE user, are there any protections for this application?

  30. #30 Giorgio says:

    @Tom:
    Your spouse is out of luck :(

  31. #31 hackademix.net » Hello ClearClick, Goodbye Clickjacking! says:

    [...] you already know if you read my first clickjacking article, an old and benign clickjacking example is NoScript’s “Install Now” orange [...]

  32. #32 Thai Brothers’ Sharing Blog » Blog Archive » 'Clickjacking' attack hides behind the mouse says:

    [...] Users of Firefox should in the meantime consider use of the NoScript plug-in and set it to forbid iframe content. More details on configuring NoScript to block this attack can be found here [...]

  33. #33 Clickjacking: La amenaza fantasma « La noticia tecnológica de la semana says:

    [...] que he podido leer, lo mejor me ha parecido este mail de Michal Zalewsk, los artículos del web de Giorgo Maone, autor de la única vacuna conocida para navegadores Firefox (”ClearScript“) y este [...]

  34. #34 Recovery and Forensic » Blog Archive » Security Bites 117: How ‘Clickjacking’ attacks hide behind the mouse says:

    [...] it to forbid IFrame content. More details on configuring NoScript to block this attack can be found here. Additional US-CERT tips for securing other browsers can be found [...]

  35. #35 » Security Bites 117: How ‘Clickjacking’ attacks hide behind the mouse « Software Reviews & Free Software Download. says:

    [...] it to forbid IFrame content. More details on configuring NoScript to block this attack can be found here. Additional US-CERT tips for securing other browsers can be found [...]

  36. #36 CFusion » Blog Archive » Security Bites 117: How ‘Clickjacking’ attacks hide behind the mouse says:

    [...] it to forbid IFrame content. More details on configuring NoScript to block this attack can be found here. Additional US-CERT tips for securing other browsers can be found here. Tags: Adobe Flash, [...]

  37. #37 舞台很大 独有我表演 » 内容索引 » Hello ClearClick, Goodbye Clickjacking! - 舞台很大 独有我表演 says:

    [...] you already know if you read my first clickjacking article, an old and benign clickjacking example is NoScript’s “Install Now” orange button, which [...]

  38. #38 Clickjacking Woes | TrendLabs | Malware Blog - by Trend Micro says:

    [...] “Rsnake” Hansen, the co-revealer of clickjacking also recommends to set browser’s configuration to “Plugins|Forbid IFRAME” and to install NoScript [...]

  39. #39 Clickjacking Woes | Webmaster Share says:

    [...] “Rsnake” Hansen, the co-revealer of clickjacking also recommends to set browser’s configuration to “Plugins|Forbid IFRAME” and to install NoScript [...]

  40. #40 ‘Clickjacking’ Web Attacks - A Little More Fun says:

    [...] To complicate matters, clickjacking is also a really cool, potentially effective user design tool. For an example of a benign case of clickjacking, consider the NoScript website, which uses the technique for positive ends. [...]

  41. #41 Security Bites 117: How ‘Clickjacking’ attacks hide behind the mouse | Instant PR says:

    [...] it to forbid IFrame content. More details on configuring NoScript to block this attack can be found here. Additional US-CERT tips for securing other browsers can be found [...]

  42. #42 Chris im Netz - Software, Hardware, Tutorials und mehr.. says:

    Firefox-Addon NoScript

    Ständig wird man durch Layer oder irgendwelche herumfliegenden Objekte belästigt. Man kann sich jetzt auch ganz langweilig verhalten und jegliche Scripte blocken. Das verhindert zwar einiges an Werbung, blockt aber sogar das auf JavaScript basierte A...

  43. #43 Get Tech Effective » Post Topic » Clickjacking: A Serious Threat says:

    [...] also ban plugins and IFRAMEs on trusted sites as needed, says Giorgio Maone, a security expert who wrote NoScript. It basically lets the user click to enable these features on trusted sites and then [...]

Bad Behavior has blocked 2448 access attempts in the last 7 days.