Clickjacking is a recently disclosed attack where users are fooled into unknowingly performing sensitive actions on external sites. It’s been demonstrated in several videos. Although it’s similar to cross-site request forgery, it can’t be prevented using a secret token – all form submissions and link clicks look valid because the user is interacting with the actual site.
Several proposed fixes are outlined nicely here. I’d like to focus on framebusting, which is the simplest solution.
if (top != self) top.location.href = location.href;
Attempts to load a page that has this code into a frame will result in the framed page “busting” out of the frame and taking over the full browser window. It works - but there are some problems.
- It’s opt-in. No one is protected by default.
- It doesn’t work for pages that need to be in frames legitimately.
- It may cause a performance hit.
- It can be defeated in Internet Explorer (6 and up) using the security=restricted attribute.
As a side note, some researchers have found ways to bypass the security=restricted attribute, but it requires control of the outer frame, which doesn’t prevent clickjacking.
document.getElementById(‘all’).style.display = ‘block’;
<div id=”all” style=”display:none;”>
[Site content goes here]
Not a perfect solution, but it does make it more difficult for the attacker. Until we have a complete solution, it’s what I’ll recommend and include in the .NET ESAPI.