Wednesday, January 28, 2009

‘ClickJacking Protection’ in IE8 RC1

Have you heard. IE 8 RC1 (Release Candidate) is out now. Just like the previous release, this time also MSFT had included a new feature names ClickJacking Protection.

Lets here what Wikipedia has to say about this.

Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.

One of the most security vulnerabilities in the web-world is called Cross Site Request Forgery (CSRF). Preventing CSRF attacks is hard because there’s generally no easy fix. The browser architecture allows interaction & navigation between multiple sites simultaneously, within a page; which can be exploited by an attacker.

IE 8 Dev Team says, “ClickJacking is a term which encompasses multiple techniques that can be used to trick the user into unwittingly clicking an obscured or hidden web element, usually resulting in an unwanted transaction”. A successful ClickJacking attack could circumvent CSRF protections that attempt to confirm transactions with the user.

The simplest and most broadly-used mechanism to defeat ClickJacking attacks is called frame-busting.It works by simply preventing vulnerable pages from being framed. Since, a typical frame-busting mechanisms rely on script; it can be defeated in various ways.

The Internet Explorer 8 RC introduces a new opt-in mechanism that enables web applications to mitigate the risk of ClickJacking on vulnerable pages by declaring that those pages may not be framed.

How it works

Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed. If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame. If the value contains the token SAMEORIGIN, IE will block rendering only if the origin of the top level-browsing-context is different than the origin of the content containing the X-FRAME-OPTIONS directive. For instance, if contains a DENY directive, that page will not render in a sub-frame, no matter where the parent frame is located. In contrast, if the X-FRAME-OPTIONS directive contains the SAMEORIGIN token, the page may be framed by any page from the exact origin.

When rendering is blocked by the X-FRAME-OPTIONS policy, a local error page is presented that explains the restriction and provides a link which opens the frame in a new window. When displayed in a new window rather than a sub-frame, content is no longer subject to ClickJacking.

ClickJacking is an alternate scriptless way of performing Frame Busting. However, this technique becomes useless if the attach involves Flash applets and other kind of plug-in embeddings.

I came across a couple of articles claiming that ‘Experts’ believe this technique is not gonna lockdown the attack. But. I’m sure of one thing. At least, websites will use this Microsoft technology to prevent attacks, for their IE users.

For time being this is a good security policy. Let see what MSFT has ironing for the final release.

Good Luck, Redmondians.

Oh! forgot to say, I started using IE 8 RC1.



Aruna Jx said...

Another example which emphasis the fact that MS and its followers lives in a small groove as said by the business week...

And what the case about opensource browser project mozilla FF... the latest version (by < OCT 2008) of its free "Noscript" addon

do the trick effectively...

read :

And what you feel when copy and pasting contents from other websites without making any credits to its original poster...!!

( )

Is pure plagiarization allowed as a part of MS manifesto..??! you guys every time spit about copyright and hard licensing and this is what you really posess... Never felt ashamed of yourself...??!

Abhilash said...

Hi Jxw,
I know you are out there. Showing me a link of FF's link dont do the job.
What I blogged is my personal review/opinion. And I never claimed that the articles are solely belongs to me. Atleast sroll-down to your page and see that i included the reference to the original article itself.
And one more thing, take time to read the article, I never clamied that FF/Chrome is a bad browser. I only stated that MSFT has had included click-jacking protection in IE8RC1.
I know you are an OO fan. Atleast you forgot the basic rule of OO-knowledge is to spread.
Licensing and copyright is required for working out business logic & market share. I know you still run Windows XP in your laptop (and your friend asked me Vista DVD for his laptop, last day). Why are you using that? Why dont you use linux? Anyway, I dont need any answer. But, the way respond is a usual response from an OO guy. Never mind, Keep the spirit.
And forgot...!!!
Thanks for the comment. But creating a blogger account solely for making a comment is a very bad idea to deal with.
Never mind, I know you from the college time itself.
Ok buddy...
Take care.

Best viewed in Internet Explorer 8.