Business
Firefox + NoScript vs Clickjacking
In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:Hi Ryan,I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
![ryan-naraine.jpg](https://www.zdnet.com/a/img/resize/58705b1ab848cb0209d7d7d504dffaab176d93aa/2014/07/22/4b4e2273-1175-11e4-9732-00505685119a/ryan-naraine.jpg?auto=webp&fit=crop&frame=1&height=192&width=192)
![Firefox + NoScript vs Clickjacking](https://www.zdnet.com/a/img/2014/10/04/6021a85f-4b64-11e4-b6a0-d4ae52e95e57/noscriptlogo.png)
Hi Ryan,
I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
I had access to detailed information about how this attack works and I can tell you the following:
- It's really scary
- NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) -- see this comment by Jeremiah Grossman himself.
- For 100% protection by NoScript, you need to check the "Plugins|Forbid <IFRAME>" option.
Cheers, Giorgio
I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue. In a nutshell, I was told that it's indeed "very, freaking scary" and "near impossible" to fix properly.
Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.