[WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

Bil Corry bil at corry.biz
Thu Oct 23 12:12:32 EDT 2008

Arshan Dabirsiaghi wrote on 10/6/2008 10:37 AM: 
> Framebusting across current and legacy browsers is the only
> difficulty here. Here is some code from Giorgio Maone:
>> try { if (top.location.host != self.location.host) throw "x"; }
>> catch(e) { window.open(location.protocol + "://" + location.host,
>> "_top") }
> Clever code, not sure what the legacy support is but it doesn't look
> to utilize anything new enough to cause problems.

Giorgio offers up something a little simpler here:

<script>if (top != self) top.location = location</script>


And someone named "Jeremy" had an interesting idea for when JavaScript is disabled, overlay the entire page with a div that covers up the buttons/links/etc:

<noscript><div style="position:absolute;left:0;top:0;z-index:99;width:10000;height:10000;">This page requires JavaScript</div></noscript>


So if you combine those ideas, you end up with:

	<script>if (top != self) top.location = location</script>
	<noscript><div style="position:absolute;left:0;top:0;z-index:999;width:10000px;height:10000px;background-color:black;color:white;">This page requires JavaScript</div></noscript>

As far as a "quick fix" goes, I think that does a decent job if you accept that non-JavaScript users will not be able to use your site (but even that restriction could be eased using referer, user preferences, etc).

- Bil

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list