hackademix.net

During the past weeks I’ve started a new project called ABE, sponsored by the NLnet Foundation and meant to provide CSRF countermeasures configurable on the client side, the server side or both.

As you probably know, the NoScript browser extension improves web client security by applying a Default Deny policy to JavaScript, Java, Flash and other active content and providing users with an one-click interface to easily whitelist sites they trust for active content execution. It also implements the most effective Cross-Site Scripting (XSS) filters available on the client side, covering Type-0 and Type-1 XSS attacks; ClearClick, the only specific browser countermeasure currently available against ClickJacking/UI redressing attacks, and many other security enhancements, including a limited form of protection against Cross-Site Request Forgery (CSRF) attacks: POST requests from non-whitelisted (unknown or untrusted) sites are stripped out of their payload and turned into idempotent GET requests.

Many of the threats NoScript is currently capable of handling, such as XSS, CSRF or ClickJacking, have one common evil root: lack of proper isolation at the web application level. Since the web has not been originally conceived as an application platform, it misses some key features required for ensuring application security. Actually, it cannot even define what a “web application” is, or declare its boundaries especially if they span across multiple domains, a scenario becoming more common and common in these “mashups” and “social media” days.

The idea behind the Application Boundaries Enforcer (ABE) module is hardening the web application oriented protections already provided by NoScript, by developing a firewall-like component running inside the browser. It will be specialized in defining and guarding the boundaries of each sensitive web application relevant to the user (e.g. webmail, online banking and so on), according to policies defined either by the user himself, or by the web developer/administrator, or by a trusted 3^rd party.

ABE rules, whose syntax is defined in this specification (pdf), are quite simple and intuitive, especially if you ever looked at a firewall policy file:

# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST, SUBDOC from SELF, https://secure.somesite.com
Accept GET
Deny

# This one guards logout, which is foolish enough to accept GET and
# therefore we need to guard against trivial CSRF (e.g. via <img>)
Site www.somesite.com/logout
Accept GET, POST from SELF
Deny

# This one guards the local network, like LocalRodeo
# LOCAL is a placeholder which matches all the LAN
# subnets (possibly configurable) and localhost
Site LOCAL
Accept from LOCAL
Deny

# This one strips off any authentication data
# (Auth and Cookie headers) from requests outside the
# application domains, like RequestRodeo
Site *.webapp.net
Accept ALL from *.webapp.net
Logout

Living inside the browser, the ABE component can take advantage of its privileged placement for enforcing web application boundaries, because it always knows the real origin of each HTTP request, rather than a possibly missing or forged (even for privacy reasons) HTTP Referer header, and can learn from user’s feedback.
Rules for the most popular web applications will be made downloadable and/or available via automatic updates for opt-in subscribers, and UI front-ends will be provided to edit them manually or through a transparent auto-learning process, while browsing. Additionally, web developers or administrator will be able to declare policies for their own web applications: ABE will honor them, unless they conflict with more restrictive user-defined rules.
As soon as browser support for the Origin HTTP header becomes widespread and reliable, an external version of ABE might be developed as a filtering proxy.

An initial implementation will be released during the 1^st quarter of 2009 as a NoScript module.
I already collected precious feedback from security researchers like Arshan “Anti-Samy” Dabirsiaghi, Ivan Ristic of ModSecurity fame, Sirdarckcat and others.
More opinions and suggestions about rules design and features are very welcome.

Sirdarckcat just pinged me with some more Clickjacking stuff, including his own related work:

• OWASP Presentation (video)
• White Paper
• Effective CSS-based Clickjacking techniques by Sirdarckcat

Regarding protection, if you’re a Firefox/NoScript user you should already know about ClearClick. If you’re not, I feel a bit sorry for you.

Finally NoScript 1.8.2.1 is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin content blocking settings.

The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.

As you already know if you read my first clickjacking article, an old and benign clickjacking example is NoScript’s “Install Now” orange button, which overlays the green one on addons.mozilla.org to work-around the installation security warning. If you click it with ClearClick enabled, now you get warned about something sneaky going on.

I do not need to change my button yet, because NoScript 1.8.2.1 ships with ClearClick enabled on untrusted (non whitelisted) parent pages only, while the whitelist status of the embedding is irrelevant. This gives a good balance between effectiveness and usability, since the attacker in a clickjacking attack is always the parent. If you want to get the warning on noscript.net and on the other sites you trust, you need to flag the second checkbox on NoScript Options|Plugins|ClearClick protection on pages… [x] untrusted [x] trusted. I recommend to flag it anyway and report any usability issue, because this feature so far seems quiet and unobtrusive enough to justify my temptation of enabling everywhere (trusted + untrusted) by default on next stable release, but it must get a lot of testing from you first.

Other clickjacking-related features included in this release are:

1. Opaque embedded objects: plugin content and frames are forcibly made opaque and get styled with “overflow: auto” (i.e. get scrollbars if their inner size exceed their viewport) on untrusted pages.
2. Frame Break Emulation: if a framed page which is not allowed to run JavaScript contains a “frame busting” script similar to <script>if (top != self) top.location = location</script>, the intention of the page author is honored by NoScript, i.e. the page replaces the topmost document. You can control this feature toggling the noscript.emulateFrameBreak about:config preference.
3. Some usability and effectiveness improvements in frame management, making the Forbid IFRAMEs option more suitable for general usage.

I hope to find some time during this week to write another post, diving through the technical details behind my ClearClick implementation: a fairy tale about a very simple and hopeful idea (unconventional <canvas> usage) fighting against an army of quirks and mundane details. In the meanwhile, many thanks to Sirdarckcat, RSnake, Michal Zalewski and Matt Mastracci for discussion, testing and inspiration.

As I hinted in my original clickjacking article and confirmed in my follow-up about protecting other browsers from clickjacking, specific anti-clickjacking countermeasures are included in latest NoScript development builds, enabled by default, and completely independent from frame blocking.

Specifically, since 1.8.1.7 (released past Friday), embedded objects of any kind are forcibly made opaque if placed on a non-whitelisted page, giving user a clear view on what he’s about to click.
A further protection layer, automatically disabling any user interaction with partially obstructed documents (similar in concept to Zalewski’s preferred proposal), will go in a stable release by the end of this week, but current development builds are already safe and good enough for general consumption, so I recommend upgrading now (update) is available in NoScript 1.8.2 and above.

Starting this fresh development line, rather than sitting on the serendipity of old NoScript features being able to prevent known forms of clickjacking, proved to be a very wise thing to do.
In facts, both RSnake and Ronald during the last two days found frame blocking work-arounds. RSnake in particular, being a NoScript user himself, has been so kind to do responsible disclosure, giving me also a lot of constructive feedback about the alternate mitigation ideas I was developing.

I must be grateful to Ronald as well, because he — even if in a less cooperative way — underlined a conceptual weakness in IFRAME blocking (since OBJECTs can behave just like IFRAMEs, they should be blocked according to the very same criteria), but I have to rectify this statement from his public disclosure post:

The latest version of NoScript allows it’s users to block iframes in order to protect themselves from “Clickjacking”.

NoScript has been capable of blocking IFRAMEs for a long time: this feature had been introduced mainly to make Gareth Heyes happy, more than one year ago. As often observed with NoScript, an old feature happens to be effective against new threats.
Unfortunately, bugs happen too and IFRAME blocking not being applied to all the frame-like elements is what I do consider a bug. This one will be fixed in the automatic stable update you’re going to receive in a few days, but in the meanwhile is already fixed; you can enjoy the new specific clickjacking protection, no matter if you block frames or not, by simply upgrading to NoScript 1.8.1.8 or above.

Update Oct 2^nd, afternoon

The frame/object bug has already been fixed in 1.8.1.9, one more reason to upgrade.

Update Oct 7^th

NoScript 1.8.2 is finally out, featuring the brand new exclusive ClickClear technology against Clickjacking. Upgrade now!

During the past few days I’ve been repeatedly asked the same question:

Is there anything that users of IE, Chrome and other browsers (who cannot use NoScript) can do to protect themselves from clickjacking?

If you read my previous post about it, you already know that currently the only way to protect yourself is disabling JavaScript, plugins/ActiveX and IFRAMEs.
NoScript is the most elegant and usable solution to do it for browsers based on Mozilla technology (like Firefox), because it gives you a quick one-click way to enable the missing technologies on sites you trust and remembers your choices in a whitelist, becoming almost unnoticeable after some “training” about your surfing habits.

Unfortunately, this is not as easy, bearable or even feasible if you use a browser not supported by NoScript (other than Linx or Elinks).
Let’s see what you can do with IE, Safari, Chrome and Opera:

• Internet Explorer

  Open Internet Options|Security, select the “Internet” zone and set the “Security level for this zone” control to “High”.
  Bad news: there’s no apparent way to disable IFRAMEs in IE: you can just disable “Launching programs and files in IFRAME”, which is definitely not enough to prevent clickjacking.
  Furthermore, while Microsoft’s “Internet Zones” can allow individual sites for scripting or active content, their usability is extremely poor if compared to NoScript, requiring several clicks and typing to build a whitelist. So, to recap: MSIE can’t be secured 100% against clickjacking, and the protection you can get comes with a big usability cost.

• Safari

  Apple’s browser has a central place to disable active content in its Preferences|Security tab.
  Bad news here are two: there’s no mean to enable features selectively (per site), and IFRAMEs cannot be disabled in any apparent way (Mac users, please let me know if I’m missing something¹). Therefore Safari can’t be secured 100% against clickjacking, and the protection you can get comes with an enormous usability cost.

• Chrome

  If you’re a Chrome user, you’re really out of luck: the only apparent way to disable active content is starting the browser with the following command line:

  chrome.exe -disable-javascript -disable-java -disable-plugins
  

  Of course, you cannot enable back any of these features until you restart your browser with different command line arguments. Even worse, there’s no “-disable-iframe” option. So Chrome can’t be secured 100% against clickjacking, and the protection you can get comes with the worst usability cost.

• Opera

  Opera has the best built-in security user interface among browsers, very similar to NoScript’s concepts: you can set restrictive defaults if you want, and relax some restrictions on selected sites you trust, using Site Preferences and Quick Preferences. It’s just slightly less usable than NoScript, and it can be configured to prevent clickjacking: you need to disable everything you can see in Preferences|Advanced|Content, then enter opera:config in your address bar, click the “Extensions” handle and uncheck the “IFrames” line.

Final note: current NoScript development versions (1.8.1.7 and above) provide protection against IFRAME-based clickjacking even without disabling IFRAMEs. This is a further usability/security advantage over any other solution, and it’s being tested by Sirdarckcat (a pioneer of malicious CSS overlays) with a final stable released planned for the end of this week. Therefore, if you can choose, your best usability+security choice is still Firefox+NoScript.