Thanks to IE8’s touted Clickjacking protection which will work on those pages whose authors decide to adopt the new proprietary X-FRAME-OPTIONS header (now cross-browser), the buzz about this topic has been raising again. Unluckily, Clickjacking (or more precisely, talking about IE8’s mitigations, “frame-based UI Redressing”) is not well understood enough yet for the “technical” press to spare us some frankly embarrassing articles:

And so on…
Even Heise Security fell in this trap, sigh. The mood of most of these “reports” is, more or less,

Look ma, there’s this Clickjacking PoC which works in Chrome and Firefox, but is defeated in IE8, which has Clickjacking ProtectionTM. Did you see? IE is the most secure browser of the pack, OMGROTFLMAO!!!

Now, I know the ones to really blame and bash here are this so called “security firm” looking for (and finding) free advertisement by exploiting the security buzzword of the day, and the “security researcher” Aditya K. Sood. But why did nobody of these journalists and bloggers try to verify Secniche’s claims (and orthography)?

Clickjacking is a malicious software form that can seemingly take control of the links that an Internet browser displays for various Web pages. Once that takes place, and once a user tries to lick (sic!) on that link, the user is taken to a site that is unintended. In some cases, the user may be able to recognize this immediately; in other cases, the user may be totally unaware of what took place.Once an infected ad has been loaded into your browser, your clipboard (where you copy and paste text) becomes overwritten with a URL.

A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another functionThe exploit may also take over your browser and visit links without you knowing.

A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The user thinks he is clicking the visible buttons, while he/she is actually performing actions on the hidden page.

The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.

Well, by these standards (and grammar and syntax), hereby I disclose my sensational “Clickjacking PoC” which works everywhere, even against IE8 RC1:

Clickjack The Target (http://www.yahoo.com) : (http://evil.hackademix.net)

Even better, mine is just 188 characters long, i.e. 1/3 of the one by Secniche:

<a href="http://yahoo.com"
onclick="location='http://evil.hackademix.net/images/stallowned.jpg';return false"
>Clickjack The Target (http://www.yahoo.com) : (http://evil.hackademix.net)</a>

Unfortunately, like I told Heise guys (who honestly rectified their article):

that’s not Clickjacking by any stretch of imagination, and hardly malicious: you just get on a “surprise” destination, but nothing more since it can’t do any of the cross-site evils (e.g. bypassing CSRF protection) of the real thing.

Or, quoting Michał Zalewski’s answer to Mr. Sood on BugTraq:

1) It is by now well-understood that because of the inherent and broadly depended on properties of HTML, every sufficiently featured browser is and likely will remain susceptible to the behavior known as clickjacking. A more thorough analysis, also covering Chrome, is provided here:

http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing)

2) To my best knowledge, the proof of concept provided in your post, where a same-origin <div> follows a mouse pointer, is not a valid demonstration of the issue at hand.

Nor is mine, of course: LickJacking, maybe ;)

Talking about rectifications, Security Watch’s apology of Microsoft’s take on Clickjacking protection, while defending X-FRAME-OPTIONS against the general skepticism from security experts, emphatically warned twice that “NoScript won’t protect you”. Larry Seltzer’s premise, “JavaScript is not required for the attack” was obviously correct, but unfortunately for him (and fortunately for Firefox users), NoScript doesn’t rely on script blocking to defeat the attack. He had apparently never heard about ClearClick, the specific anti-Clickjacking protection provided by NoScript, which is extremely effective even if JavaScript is enabled (or the attack is scriptless). Ironically, ClearClick is also the only available implementation of Michał Zalewski’s “favorite solution”, which his article even tries to explain.

However, as soon as I managed to tell him about his mistake (after working around the unbelievable suckiness of PCMag’s spam filters, which coughed on any sentence of medium complexity and even on the word “google”), Larry demonstrated solid deontology. He honestly admitted to have been misled by an ancient post by RSnake, which actually reported that older NoScript versions could be circumvented by some Clickjacking setups, while more recent (ClearClick enabled) versions are effectively protected. Larry, I did appreciate that, and I’m sorry I couldn’t post not even a simple “thanks” as a comment on your Security Watch blog (danx? th3nx? 10x?)

16 Responses to “All That ClickJazz…”

  1. #1 dblackshell says:

    I can imagine the number of new perverted attacks that will appear from this day onward: Cross site licking, Cross Site Lickin’ Forgery…

  2. #2 duryodhan says:

    Dude .. lick jacking is sick enough …

  3. #3 duryodhan says:

    man. .. I used to think security in academia is bad .. but even the industry is sucky end to end

  4. #4 Basti says:

    Isn’t it possible to block such scripts?

    onclick="location=’http://evil.hackademix.net/images/stallowned.jpg’;return false"

    If not with NoScript then with another addon.

    NoScript is such a nice thing. Thank you for it.

  5. #5 Giorgio says:

    @Basti:
    unless the page is whitelisted, NoScript blocks it by default.

  6. #6 Basti says:

    @Giorgio:

    I know that No Script blocks that if scripting isn’t allowed, because I needed to whitelist hackademix.net to see the actor instead of yahoo. But if I need to enable scripting for some reasons like passing the humanity check to reply ("To make this process easier in the future, we recommend you enable Javascript.") it won’t work.

    Because you said "JavaScript can only be allowed or denied, there isn’t something in between." (maybe not exactly quoted) I guess NoScript isn’t there (not now and in the furture) for blocking special scripts. There could be an additional addon that blocks that script. I don’t see a sense in this script anyway. It looks like it was made for an exploit although it isn’t good if the user is aware of what he is doing.

    I also hope there’s a chance for IE’s X-Frame Option to get included in all major browsers. Plus every site should make use of it, especially security related ones.

  7. #7 alexkon says:

    Michal Zalewski, it’s w (not v) in his last name.

  8. #8 Giorgio says:

    @alexkon:
    Michał (rather than Michal), too :)

  9. #9 duryodhan says:

    basti : because of the way javascript is made and all the evals etc. in it , I think stopping only some type behaviour and not others would be hard to do securely.

    But http://research.microsoft.com/en-us/um/people/helenw/papers/bshield-osdi2006.pdf

    is something interesting ..

  10. #10 ascii says:

    damn Maone, this stuff is terrible, sad for you that have to fight with it. click* attacks

  11. #11 Basti says:

    @duryodhan: I agree. That is a problem. You can’t filter or stop it without having negative impact on other (wanted) things. Would be good if something could warn about it. I guess I should forget about it…

    The following is general and not assigned to anyone special: JavaScript isn’t per definition bad, but if you take a look at the change-log of Firefox you see that most (theoretical) exploits only work if JavaScript is on.

    so thanks for NoScript again. (assigned to Giorgio)

  12. #12 Amad says:

    @Basti: Quick fix for ‘lick’ jacking (works in firefox):

    Open link in new tab

    It doesn’t need noscript, works with js enabled! :P

    Okay seriously though, surrogate scripts might have some potential in this area

  13. #13 Basti says:

    @Amad: This is a easy way to defeat this "attack".

    Would be good if all problems could be solved that easy. :P

  14. #14 justAnotherBob says:

    Beside the point, but… 178 characters!

    Clickjack The Target (http://www.yahoo.com) : (http://evil.hackademix.net)

  15. #15 justAnotherBob says:

    argh! my post got scrubbed of JavaScript.

  16. #16 vaibhav says:

    Actually this is not the first "cutting edge research" by Aditya K Sood,
    if you have time grab a cup of hot java browse through his numerous
    articles (zero code {by 0kn0ck} sadly, which says it all) and you’ll be
    half bombed forever.

    if you see the logo on his website, it says "Driving Element of Innocuous Minds." and "Optimized Derivative of Complex Security". That pretty much
    sums everything about him.

    Somebody please a leash on this guy.

Bad Behavior has blocked 35933 access attempts in the last 7 days.