Firefox + NoScript vs Clickjacking
Summary: In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:Hi Ryan,I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:
Hi Ryan,
I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
I had access to detailed information about how this attack works and I can tell you the following:
- It's really scary
- NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) -- see this comment by Jeremiah Grossman himself.
- For 100% protection by NoScript, you need to check the "Plugins|Forbid <IFRAME>" option.
Cheers, Giorgio
I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it's indeed "very, freaking scary" and "near impossible" to fix properly.
Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
"near impossible to fix properly"
NOT.
One day, the browser will be your desktop............................ nt
reminds me of ...
One day people will realize that's a dream, not a reality (nt)
Yes, the Windows 2000 days...
Monopolies and putting everything in one basket are bad and this are the proof of this.
RE: Firefox NoScript vs Clickjacking
Q: "For 100% protection by NoScript,..."
Btw, a side note here. US-CERT's (old) advices seem to apply:
The following link takes you to Safari section, scroll up a bit to see advices on configuring NoScript.
http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Safari
100% means...
Of course I'd never say NoScript can protect you 100% from anything, but regarding web-based exploits pulled by untrusted (unknown) sites it goes pretty near.
Back to clickjacking, against the remote event of a full-fledged clickjacking attack mounted from a trusted (whitelisted) page, you need to check also "Apply these restrictions to trusted sites as well", more details here: http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=52374&messageID=987412&start=0
From what I can tell
-Being able to pull information from other domains should probably not be done by the client. Wanna display some ads? Pull them in server side.
-More work should be done to stop cross site scripting. When the user moves to a new domain, everything from the old domain should be thrown out, no questions asked. In addition, JavaScript created in one domain should be forbidden to have any effect on pages from other domains.
-Java's and Flash's ability to break out of the frame, especially without user permission, should be forbidden.
-IE8 and Google Chrome are splitting separate tabs into separate processes. Chrome is taking it a step further to create a new process and destroy the old one when you surf to a new domain. IMHO, that behavior is the future. Now that websites are acting like applications, they're going to be treated like applications. I expect further isolation to continue.
-Hate to say it, but frames and iFrames are not the future. I expect they'll be phased out. Neither of them were ever very secure anyways.
Good Post(nt)
Never liked frames anyway
iFrames are from the devil anyway
Firefox updates
I wholeheartedly agree about Active-X.
As of Sept. 26th - FireFox 3.0.3 is the latest version
RE: Firefox NoScript vs Clickjacking
"invisible layer" can be put there without Js at all - just use
css and set it up, put it all in white against a white
background and no one can "see" anything unless they the
page view source. simple and malicious.
this seems like a reversal of the technique of stealing images from one site for use on another one by listing the
url of the stolen image instead of a local image.
if css and Js goes out the window.... what's that new thing
called????? umm oh yeah Web 2.0 might not be so keen
after all.
Active content
I think there needs to be a concerted effort to standardize and reduce the size of the active content sandbox. Or else eliminate active content completely?
Thanks for the post
But I still think I'll get in my sandbox just to be safer.
I love NoScript
Nevertheless, using the no-frame option will be a hassle... wise, but still.
I will never ever understand why anyone could be such a low-life to create virus, vondue, smitfraud, etc... and now clickjacking. It's cyber-terrorism...
Why not RemoveAdmin?
Remove administrative priveleges from Interet Explorer. He claims this trumps iFrame, Java, active X exploits; think it's possible?
I haven't tried it yet but I'm going to.
Ditto
Call me old fashioned, but the only web pages i ever liked were plain, zero-active content, HTML pages.
Anyways, hopefully the two counter-measures combined will go a long ways toward nullifying the latest wave of exploits (i.e. the likes of clickjack).
Sincerely.
(n.b. BBI = big, bad internet)