Abstract
The ClickJacking variant LikeJacking specifically targetsWeb widgets that offer seamless integration of third party services, such as social sharing facilities. The standard defense against ClickJacking is preventing framing completely or allowing framing only in trusted contexts. These measures cannot be taken in the case of LikeJacking, due to the widgets’ inherent requirement to be available to arbitrary Web applications. In this paper, we report on advances in implementing LikeJacking protection that takes the specific needs of such widgets into account and is compatible with current browsers. Our technique is based on three pillars: A JavaScript-driven visibility check, a secure in-browser communication protocol, and a reliable method to validate the integrity of essential DOM properties and APIs. To study our protection mechanism’s performance characteristics and interoperability with productive Web code, we applied it to 635 real-world Web pages. The evaluation’s results show that our method performs well even for large, non-trivial DOM structures and is applicable without requiring changes for the majority of the social sharing widgets used by the tested Web applications.
This work was in parts supported by the EU Project Web- Sand (FP7-256964).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: AsiaCCS (2010)
Barnett, R.: Detecting Successful XSS Testing with JS Overrides. Blog post, Trustwave SpiderLabs (November 2012), http://blog.spiderlabs.com/2012/11/detecting-successful-xss-testing-with-js-overrides.html (last accessed April 7, 2013)
Barth, A., Jackson, C., Mitchell, J.C.: Robust Defenses for Cross-Site Request Forgery. In: CCS 2009 (2009)
Bordi, E.: Proof of concept - cursorjacking (noscript), http://static.vulnerability.fr/noscript-cursorjacking.html
Crockford, D.: Private Members in JavaScript (2001), http://www.crockford.com/javascript/private.html (Janauary 11, 2006)
Grier, C., Tang, S., King, S.T.: Secure Web Browsing with the OP Web Browser. In: IEEE Symposium on Security and Privacy (2008)
Hansen, R., Grossman, J.: Clickjacking (August 2008), http://www.sectheory.com/clickjacking.htm
Heiderich, M., Frosch, T., Holz, T.: IceShield: Detection and mitigation of malicious websites with a frozen DOM. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 281–300. Springer, Heidelberg (2011)
Hill, B.: Adaptive user interface randomization as an anti-clickjacking strategy (May 2012)
Hill, B.: Anti-clickjacking protected interactive elements (January 2012)
Huang, L.-S., Jackson, C.: Clickjacking attacks unresolved. White paper, CyLab (July 2011)
Huang, L.-S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: attacks and defenses. In: USENIX Security (2012)
Ioannidis, S., Bellovin, S.M.: Building a secure web browser. In: USENIX Technical Conference (2001)
Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: OWASP Europe 2006, refereed papers track (May 2006)
Kotowicz, K.: Cursorjacking again (January 2012), http://blog.kotowicz.net/2012/01/cursorjacking-again.html
Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: WOOT 2012 (2012)
Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting javaScript. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 239–255. Springer, Heidelberg (2012)
Maone, G.: Noscript clearclick (January 2012), http://noscript.net/faq#clearclick
Maone, G., Huang, D.L.-S., Gondrom, T., Hill, B.: User Interface Safety Directives for Content Security Policy. W3C Working Draft 20 (November 2012), http://www.w3.org/TR/UISafety/
Microsoft. IE8 Security Part VII: ClickJacking Defenses (2009)
Mustaca, S.: Old Facebook likejacking scam in use again, Avira Security Blog (February 2013), http://techblog.avira.com/2013/02/11/old-facebook-likejacking-scam-in-use-again-shocking-at-14-she-did-that-in-the-public-school/en/
Mozilla Developer Network. delete (February 2013), https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Operators/delete
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. In: CCS 2012 (2012)
Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting javascript. In: ASIACCS 2009 (2009)
Ruderman, J.: Bug 154957 - iframe content background defaults to transparent (June 2002), https://bugzilla.mozilla.org/showbug.cgi?id=154957
Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In: IEEE Oakland Web 2.0 Security and Privacy, W2SP 2010 (2010)
Shepherd, E.: window.postmessage (October 2011), https://developer.mozilla.org/en/DOM/window.postMessage
SophosLabs. Clickjacking (May 2010), http://nakedsecurity.sophos.com/2010/05/31/facebook-likejacking-worm/ (last accessed July 4, 2013)
Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choud-hury, P., Venter, H.: The Multi-Principal OS Construction of the Gazelle Web Browser. In: USENIX Security Symposium (2009)
Wisniewski, C.: Facebook adds speed bump to slow down likejackers (March 2011)
Zalewski, M.: X-frame-options is worth less than you think. Website (December 2011), http://lcamtuf.coredump.cx/clickit/
Zaytsev, J.: Understanding delete (January 2010), http://perfectionkills.com/understanding-delete/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Johns, M., Lekies, S. (2013). Tamper-Resistant LikeJacking Protection. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-41284-4_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41283-7
Online ISBN: 978-3-642-41284-4
eBook Packages: Computer ScienceComputer Science (R0)