Archive for October, 2008

Sirdarckcat just pinged me with some more Clickjacking stuff, including his own related work:

Regarding protection, if you're a Firefox/NoScript user you should already know about ClearClick. If you're not, I feel a bit sorry for you.

B & B

History will tell that George W. Bush has been a great, very great President of the United States

Silvio Berlusconi, Italian Prime Minister, Columbus Day 2008

George, please, in November take Silvio with you.
Many thanks.

Finally NoScript is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin content blocking settings.

The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in "clear". At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.

As you already know if you read my first clickjacking article, an old and benign clickjacking example is NoScript's "Install Now" orange button, which overlays the green one on to work-around the installation security warning. If you click it with ClearClick enabled, now you get warned about something sneaky going on.

ClearClick Warning on NoScript's install button

I do not need to change my button yet, because NoScript ships with ClearClick enabled on untrusted (non whitelisted) parent pages only, while the whitelist status of the embedding is irrelevant. This gives a good balance between effectiveness and usability, since the attacker in a clickjacking attack is always the parent. If you want to get the warning on and on the other sites you trust, you need to flag the second checkbox on NoScript Options|Plugins|ClearClick protection on pages... [x] untrusted [x] trusted. I recommend to flag it anyway and report any usability issue, because this feature so far seems quiet and unobtrusive enough to justify my temptation of enabling everywhere (trusted + untrusted) by default on next stable release, but it must get a lot of testing from you first.


NoScript 1.8.4 and above ship with ClearClick enabled on both untrusted and trusted sites. It works everywhere, even if you've got scripts globally allowed. And yes, at that point I had to change install button, therefore if you want a PoC you need to look elsewhere.

Other clickjacking-related features included in this release are:

  1. Opaque embedded objects: plugin content and frames are forcibly made opaque and get styled with "overflow: auto" (i.e. get scrollbars if their inner size exceed their viewport) on untrusted pages.
  2. Frame Break Emulation: if a framed page which is not allowed to run JavaScript contains a "frame busting" script similar to
    <script>if (top != self) top.location = location</script>

    , the intention of the page author is honored by NoScript, i.e. the page replaces the topmost document. You can control this feature toggling the noscript.emulateFrameBreak about:config preference.

  3. Some usability and effectiveness improvements in frame management, making the Forbid IFRAMEs option more suitable for general usage.

I hope to find some time during this week to write another post, diving through the technical details behind my ClearClick implementation: a fairy tale about a very simple and hopeful idea (unconventional <canvas> usage) fighting against an army of quirks and mundane details. In the meanwhile, many thanks to Sirdarckcat, RSnake, Michal Zalewski and Matt Mastracci for discussion, testing and inspiration.

As I hinted in my original clickjacking article and confirmed in my follow-up about protecting other browsers from clickjacking, specific anti-clickjacking countermeasures are included in latest NoScript development builds, enabled by default, and completely independent from frame blocking.

Specifically, since (released past Friday), embedded objects of any kind are forcibly made opaque if placed on a non-whitelisted page, giving user a clear view on what he's about to click.
A further protection layer, automatically disabling any user interaction with partially obstructed documents (similar in concept to Zalewski's preferred proposal), will go in a stable release by the end of this week, but current development builds are already safe and good enough for general consumption, so I recommend upgrading now (update) is available in NoScript 1.8.2 and above.

Starting this fresh development line, rather than sitting on the serendipity of old NoScript features being able to prevent known forms of clickjacking, proved to be a very wise thing to do.
In facts, both RSnake and Ronald during the last two days found frame blocking work-arounds. RSnake in particular, being a NoScript user himself, has been so kind to do responsible disclosure, giving me also a lot of constructive feedback about the alternate mitigation ideas I was developing.

I must be grateful to Ronald as well, because he -- even if in a less cooperative way -- underlined a conceptual weakness in IFRAME blocking (since OBJECTs can behave just like IFRAMEs, they should be blocked according to the very same criteria), but I have to rectify this statement from his public disclosure post:

The latest version of NoScript allows it's users to block iframes in order to protect themselves from "Clickjacking".

NoScript has been capable of blocking IFRAMEs for a long time: this feature had been introduced mainly to make Gareth Heyes happy, more than one year ago. As often observed with NoScript, an old feature happens to be effective against new threats.
Unfortunately, bugs happen too and IFRAME blocking not being applied to all the frame-like elements is what I do consider a bug. This one will be fixed in the automatic stable update you're going to receive in a few days, but in the meanwhile is already fixed; you can enjoy the new specific clickjacking protection, no matter if you block frames or not, by simply upgrading to NoScript or above.

Update Oct 2nd, afternoon

The frame/object bug has already been fixed in, one more reason to upgrade.

Update Oct 7th

NoScript 1.8.2 is finally out, featuring the brand new exclusive ClearClick technology against Clickjacking. Upgrade now!

Bad Behavior has blocked 926 access attempts in the last 7 days.