Archive for September, 2008

During the past few days I've been repeatedly asked the same question:

Is there anything that users of IE, Chrome and other browsers (who cannot use NoScript) can do to protect themselves from clickjacking?

If you read my previous post about it, you already know that currently the only way to protect yourself is disabling JavaScript, plugins/ActiveX and IFRAMEs.
NoScript is the most elegant and usable solution to do it for browsers based on Mozilla technology (like Firefox), because it gives you a quick one-click way to enable the missing technologies on sites you trust and remembers your choices in a whitelist, becoming almost unnoticeable after some "training" about your surfing habits.

Unfortunately, this is not as easy, bearable or even feasible if you use a browser not supported by NoScript (other than Linx or Elinks).
Let's see what you can do with IE, Safari, Chrome and Opera:

  • Internet Explorer

    IE's security settingsOpen Internet Options|Security, select the "Internet" zone and set the "Security level for this zone" control to "High".
    Bad news: there's no apparent way to disable IFRAMEs in IE: you can just disable "Launching programs and files in IFRAME", which is definitely not enough to prevent clickjacking.
    Furthermore, while Microsoft's "Internet Zones" can allow individual sites for scripting or active content, their usability is extremely poor if compared to NoScript, requiring several clicks and typing to build a whitelist. So, to recap: MSIE can't be secured 100% against clickjacking, and the protection you can get comes with a big usability cost.

  • Safari

    Safari's security settingsApple's browser has a central place to disable active content in its Preferences|Security tab.
    Bad news here are two: there's no mean to enable features selectively (per site), and IFRAMEs cannot be disabled in any apparent way (Mac users, please let me know if I'm missing something1). Therefore Safari can't be secured 100% against clickjacking, and the protection you can get comes with an enormous usability cost.

  • Chrome

    If you're a Chrome user, you're really out of luck: the only apparent way to disable active content is starting the browser with the following command line:

    chrome.exe -disable-javascript -disable-java -disable-plugins
    

    Of course, you cannot enable back any of these features until you restart your browser with different command line arguments. Even worse, there's no "-disable-iframe" option. So Chrome can't be secured 100% against clickjacking, and the protection you can get comes with the worst usability cost.

  • Opera

    Opera has the best built-in security user interface among browsers, very similar to NoScript's concepts: you can set restrictive defaults if you want, and relax some restrictions on selected sites you trust, using Site Preferences and Quick Preferences. It's just slightly less usable than NoScript, and it can be configured to prevent clickjacking: you need to disable everything you can see in Preferences|Advanced|Content, then enter opera:config in your address bar, click the "Extensions" handle and uncheck the "IFrames" line.

Final note: current NoScript development versions (1.8.1.7 and above) provide protection against IFRAME-based clickjacking even without disabling IFRAMEs. This is a further usability/security advantage over any other solution, and it's being tested by Sirdarckcat (a pioneer of malicious CSS overlays) with a final stable released planned for the end of this week. Therefore, if you can choose, your best usability+security choice is still Firefox+NoScript.

Hurry, it's the best time to use FlashGot Media!
Adobe and movie providers might withdraw their generosity at any moment :)

Update

If you did not yet, you should upgrade to NoScript 1.8.2.1 or above, because of the new ClearClick technology, the most effective anti-Clickjacking protection available.

Looks like Clickjacking is the web-security buzzword of the week (month?), since Robert "RSnake" Hansen and Jeremiah Grossman decided to cancel their OWASP talk, drawing an aura of mystery around the whole issue and its magnitudo.

Nevertheless some info and speculations have been percolating, and even if the precise details of the attacks proposed by those two researchers are still embargoed, especially because of the serious and not necessarily obvious implications worrying Adobe, a certain awareness about the general technique and the possible countermeasures does circulate now. In Jeremiah's and RSnake's words:

Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. [...]
Say you have a home wireless router that you had authenticated prior to going to a [malicious] web site. [The web site] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.

In other words, the attack is thrown by a malicious web page embedding objects, possibly from a different site, such as framed documents or plugin content (Flash, Silverlight, Java...) which may lead to unwanted results if clicked by the current user (e.g. a "Delete all messages" button in your webmail or an advertisement banner in a click fraud scheme). Using DHTML, and especially CSS, the attacker can disguise or hide the click target in several ways which go completely undetected by the user, who's easily tricked into clicking it in a more or less blind way.

JavaScript increases the effectiveness of these attacks hugely, because it can make our invisible target constantly follow the mouse pointer, intercepting user's first click with no failure. We can however imagine a few less effective but still feasible scriptless scenarios, e.g. covering the whole window with hidden duplicates of the target or overlaying an attractive element of the page, likely to be clicked (e.g. a game or a porn image link), with a transparent target instance.
Nevertheless, as RSnake puts it,

[...] the best defense against clickjacking attacks is to use Firefox with the NoScript add-on installed. Users running that combination will be safe, said Hansen, against “a very good chunk of the issues, 99.99 percent at this point.”

That's true because attacking from an untrusted page not allowed to run JavaScript is highly impractical, but also because NoScript by default prevents Java, Silverlight and especially Flash content, which seem so far the most dangerous clickjacking targets, from being embedded on non-whitelisted pages.

But what about that damned 0.01%? That's given by framed documents, most notably IFRAMEs. For a live and benign example of what you can do with IFRAME-based clickjacking, look at NoScript's "install now!" widget, which gets dynamically overlayed by the addons.mozilla.org install page: they're positioned so that if you click on the orange button you automatically install from AMO, skipping the security notification bar you would get on any other site. This "clickjacking" of mine has been there for a long time (since AMO V3, IIRC), and it heavily relies on JavaScript.

But even if an IFRAME-based attack was carefully crafted to work without JavaScript, NoScript would still provide effective protection, scoring a perfect 100% by RSnake's standards. You just need to enable the Plugins|Forbid <IFRAME> option, and cross-site IFRAMEs will be blocked by default on untrusted pages: they will need a confirmation to be activated, therefore "blind clicks" become impossible. Zone 365 and Hardware Forums created a short video tutorial about this setting. If you want to be protected even against unlikely attacks thrown from a trusted site included in your whitelist, check Plugins|Apply these restriction to trusted sites as well: embedded objects (plugin content and frames) get blocked on every site, but you can enable any of them on the fly by clicking on its placeholder.

A final recommendation is reading this Michal Zalewski's contribution, which covers the IFRAME case only but is very generous with mitigation proposals, both for web developers and browser vendors: by the way, his browser fix proposal #4 is almost identical to current NoScript's Forbid <IFRAME> option, and simpler variants of proposal #3 are being explored as default features in NoScript development builds since version 1.8.1.7.


Planned final release date: Jan 28th 2009.

Also released this week:

I just stumbled upon a post by Lori MacVittie, Why it's so hard to secure JavaScript.
I found it interesting because it voices the (frustrated) opinion of an important Web Application Firewall vendor, F5, about something I've been reasoning for some years :)
She essentially admits scripting languages are such a mess to secure at the semantic level («Hey Giorgio, why doesn't NoScript just strip out malicious scripts and leave the rest my page alone?»), especially from an external node (like a firewall) which does not actually parse the code:

I am not aware of any security solution that currently parses out JavaScript before it's delivered to the client. If there are any out there, I'd love to hear about them.

Well, WebCleaner comes to mind.
Also NoScript's Anti-XSS filters actually parse cross-site request fragments through SpiderMonkey, mainly to reduce false positives by acting on syntactically valid JS only.

But she obviously means something different: a device placed outside the browser, parsing JavaScript and performing sandboxed behavioral analysis.
The latter is the true challenge here, but building such a toy might be not impossible, especially since the best JavaScript implementations out there, Mozilla's SpiderMonkey/TraceMonkey and Google's V8 are open-source and embeddable. However, performance penalties aside (most of the scripts should be parsed and possibly compiled and executed at least twice), you would loose a very important decision factor: browser context, i.e. DOM, cookies, authenticated sessions, navigation history and so on.
Unless they imagine to stuff a "twin" of your browser inside your firewall, sort of a proxy based on Gecko+SpiderMonkey or WebKit+V8 and acting as a guinea pig just before the "real" navigation happens...
But for the time being,

That's why browser add-ons like NoScript are so popular. JavaScript security today is binary: allow or deny. Period. There's no real in between. There is no JavaScript proxy that parses and rejects malicious script, no solution that proactively scans JavaScript for code-based exploits, no external answer to the problem. That means we have to rely on the browser developers to not only write a good browser with all the bells and whistles we like, but for security, as well.

Bad Behavior has blocked 786 access attempts in the last 7 days.