Clickjacking does not rely on bugs in any software. Instead, the technique is simply an abuse of the growing graphical capabilities that advanced web standards like CSS provide to web browsers. A good introduction to clickjacking is provided by Steve Gibson and Leo Laporte on their Security Now! podcast.
As far as I’m aware, only Firefox when combined with the NoScript add-on and Internet Explorer when combined with the GuardedID product provide any measure of protection against clickjacking attacks. To date no other browser can detect, alert, or otherwise help you to avoid or mitigate the risks of clickjacking attacks.
That said, there’s gotta be something users of other browsers can do. Well, it may not be as much as what NoScript can do, but there is something: use a user style sheet to help expose common clickjacking attack attempts.
clickjane.css helps detect clickjacking attacks for all browsers
Until browser manufacturers provide built-in protections against clickjacking attacks in their software (which is arguably the best place for such logic in the first place), css that we are using attempts to instantly reveal common clickjacking attempts. Since it’s a CSS user style sheet, this approach should be cross-browser compatible so that users of any browser including Safari, Opera, and other browsers that don’t have other means of protecting against clickjacking attacks can use it.
Before and after clickjane.css
Here are two example screenshots of a benign clickjacking demo.
- Before:
Screenshot of Safari before clickjane.css is used to expose clickjacking attempts.
- After:
Screenshot of Safari after clickjane.css is used to expose clickjacking attempts.
Good habits you should get into to mitigate clickjacking risks
Here is a list of behaviors that you should make habitual while you browse the web. Engaging in these behaviors can dramatically reduce the likelihood that you will be victimized by a clickjacking attack.
- Explicitly log out of any service you have logged in to when you are done. That log-out button is there for a reason: use it!
- Avoid providing your browser with “Auto-Complete” information for critical sites, such as your bank.
- Make sure you are running Flash Player 10 or greater, which mitigates this vulnerability for Adobe Flash content.
clickjane.css
//------------------------------------------------------------------------------------------//
/*
* This is a user style sheet to do what it can to
* reveal clickjacking attempts. This is in no way
* a silver bullet to protect against clickjacking.
*
* @file clickjane.css
* @license GPL3
*
* Copyright 2008 Meitar Moscovitz (email : meitar@maymay.net)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
/*
* Clickjacking very commonly uses a transparent iframe.
* I can't imagine a modern web site that would ever do
* this, so let's just never allow transparent iframes.
*/
iframe {
filter: alpha(opacity=100) !important; /* for IE */
opacity: 1 !important; /* for conforming browsers */
}
//------------------------------------------------------------------------------------------//
Inspired by: Meitar Moscovitz’s article on Clickjacing
Comments (0)