Firefox + NoScript vs Clickjacking

Firefox + NoScript vs Clickjacking

Summary: In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:Hi Ryan,I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].

TOPICS: Browser

Firefox + NoScript vs ClickjackingIn response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:

Hi Ryan,

I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].

I had access to detailed information about how this attack works and I can tell you the following:

  1. It's really scary
  2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) -- see this comment by Jeremiah Grossman himself.
  3. For 100% protection by NoScript, you need to check the "Plugins|Forbid <IFRAME>" option.

Cheers, Giorgio

I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue.  In a nutshell, I was told that it's indeed "very, freaking scary" and "near impossible" to fix properly.

Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "near impossible to fix properly"

    That sounds very promising to those who want to build online apps on top of HTML.

    • One day, the browser will be your desktop............................ nt

      • reminds me of ...

        the annual "this is our year" talking.
      • One day people will realize that's a dream, not a reality (nt)

        nt = no text
      • Yes, the Windows 2000 days...

        I remember the brohaha of monopoly that Microsoft was making the Internet Explorer browser part of your desktop in Windows 200. Imagine the true nightmare this will have on the OS when someone take full advantage of this vulnerability.
        Monopolies and putting everything in one basket are bad and this are the proof of this.
  • RE: Firefox NoScript vs Clickjacking

    If the ???noscript??? plugin might help prevent some exploits, what about the script-defeating mechanism in WebWasher Classic (a free program available at several download sites on the Web)? WebWasher inserts itself as a transparent proxy between your browser and the Net, and so would potentially work for ALL browsers, not just FireFox. It might well be the only fix for IE for awhile.
  • Q: "For 100% protection by NoScript,..."

    Does 100% refer to complete immunity against clickjacking attacks or general threats?

    Btw, a side note here. US-CERT's (old) advices seem to apply:
    The following link takes you to Safari section, scroll up a bit to see advices on configuring NoScript.
    • 100% means...

      100% protected against clickjacking from an untrusted page.
      Of course I'd never say NoScript can protect you 100% from anything, but regarding web-based exploits pulled by untrusted (unknown) sites it goes pretty near.
      Back to clickjacking, against the remote event of a full-fledged clickjacking attack mounted from a trusted (whitelisted) page, you need to check also "Apply these restrictions to trusted sites as well", more details here:
      Giorgio Maone
  • From what I can tell

    From what I can tell, this pretty much means that:

    -Being able to pull information from other domains should probably not be done by the client. Wanna display some ads? Pull them in server side.

    -More work should be done to stop cross site scripting. When the user moves to a new domain, everything from the old domain should be thrown out, no questions asked. In addition, JavaScript created in one domain should be forbidden to have any effect on pages from other domains.

    -Java's and Flash's ability to break out of the frame, especially without user permission, should be forbidden.

    -IE8 and Google Chrome are splitting separate tabs into separate processes. Chrome is taking it a step further to create a new process and destroy the old one when you surf to a new domain. IMHO, that behavior is the future. Now that websites are acting like applications, they're going to be treated like applications. I expect further isolation to continue.

    -Hate to say it, but frames and iFrames are not the future. I expect they'll be phased out. Neither of them were ever very secure anyways.
    • Good Post(nt)

      Real World
    • Never liked frames anyway

      And good post, CobraA1.
  • iFrames are from the devil anyway

    I never did like iFrames but not as bad as I dislike ActiveX. If you're an Ubuntu user there have been Firefox critical updates coming fast and furious the last couple days.
    • Firefox updates

      I am a windoze user, and I have updated to 3.0.2.

      I wholeheartedly agree about Active-X.
      • As of Sept. 26th - FireFox 3.0.3 is the latest version

        As of Sept. 26th - FireFox 3.0.3 is the latest version, be sure to check for updates frequently. :)
  • RE: Firefox NoScript vs Clickjacking

    this kind of bothers me because I suspect that the
    "invisible layer" can be put there without Js at all - just use
    css and set it up, put it all in white against a white
    background and no one can "see" anything unless they the
    page view source. simple and malicious.
    this seems like a reversal of the technique of stealing images from one site for use on another one by listing the
    url of the stolen image instead of a local image.
    if css and Js goes out the window.... what's that new thing
    called????? umm oh yeah Web 2.0 might not be so keen
    after all.
  • Active content

    Hasn't it become crystal clear that all "Active Content" is a gaping security hole that hackers love to exploit?

    I think there needs to be a concerted effort to standardize and reduce the size of the active content sandbox. Or else eliminate active content completely?
  • Thanks for the post

    And thanks for NoScript, Giorgio.

    But I still think I'll get in my sandbox just to be safer.
  • I love NoScript

    I've been using it for... wow.. I don't know how long. Been a year or so I think. Anyways, it has really protected me from a lot of crap in the cloud.

    Nevertheless, using the no-frame option will be a hassle... wise, but still.

    I will never ever understand why anyone could be such a low-life to create virus, vondue, smitfraud, etc... and now clickjacking. It's cyber-terrorism...
  • Why not RemoveAdmin?

    We've been in communication with the author of this seemingly handy utility, over at TechRepublic, and it seems very straight-forward:

    Remove administrative priveleges from Interet Explorer. He claims this trumps iFrame, Java, active X exploits; think it's possible?

    I haven't tried it yet but I'm going to.
    • Ditto

      ...but as well as that - and just to err on the side of caution (because let's face it, when it really gets down to it, i *flat* don't trust a soul on the BBI), i'm going to forbid the iFrames option as well.

      Call me old fashioned, but the only web pages i ever liked were plain, zero-active content, HTML pages.

      Anyways, hopefully the two counter-measures combined will go a long ways toward nullifying the latest wave of exploits (i.e. the likes of clickjack).


      (n.b. BBI = big, bad internet)