ISAM for Web – Clickjacking prevention

What is Clickjacking?

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function. The term “clickjacking” was coined by Jeremiah Grossman and Robert Hansen in 2008. Clickjacking can be understood as an instance of the confused deputy problem, a term used to describe when a computer is innocently fooled into misusing its authority.
Source: Wikipedia http://en.wikipedia.org/wiki/Clickjacking

Mitigating against Clickjacking

Clickjacking is a very real threat and has two main mechanisms for protection:

  • FrameKiller JavaScript
    JavaScript that is designed to breakout of any attempts to frame the page.
  • HTTP Headers defining security policy
    HTTP headers can tell the browser whether or not returned pages can be shown in a frame.

Using a FrameKiller script with ISAM for Web – WebSEAL

For application pages, (from junctioned servers) it will be necessary to configure the junctions to add suitable script. For WebSEAL pages, its a simple process of customising the pages. For example, the login.html page can be modified with the current OWASP recommended FrameKiller script:

OWASP Script

First apply an ID to the style element itself:

<style id="antiClickjack">body{display:none !important;}</style>

And then delete that style by its ID immediately after in the script:


   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }

This way, everything can be in the document HEAD and you only need one method/taglib in your API.
Reference: https://www.codemagi.com/blog/post/194

For a more detailed example of customising your login page, see an upcoming article.

Using FrameKilling HTTP Headers with ISAM for Web – WebSEAL

The most common although now superseded HTTP header for this purpose is the X-Frame-Options header. To add this header to HTTP responses, follow the steps defined in another post ISAM for Web – Sending Security Headers.

allheaders

That post also defines the Content-Security-Policy header which is being finalised as part of the CSP version 2.0 release.

Internet Explorer displays an error message. (Firefox and Chrome do not render the page.)
Internet Explorer displays an error message. (Firefox and Chrome do not render the page.)

Conclusion

ISAM for Web allows a web security administrator to apply clickjacking mitigation techniques without modifying their backend applications. The security headers can be easily configured to return on all pages junctioned from WebSEAL.

One thought on “ISAM for Web – Clickjacking prevention

  1. Pingback: ISAM for Web – Different login pages per junction | Phil Nye

Comments are closed.

Website Built with WordPress.com.

Up ↑

%d bloggers like this: