Saturday 2 June 2012

X-Frame-Options gotcha

Summary: X-Frame-Options: SAMEORIGIN validates window.top not window.parent. This is bad news for sites that frame untrusted content.

UI-Redressing or 'Clickjacking'  attacks rely on loading the target page in an iframe. The standard defence against them is to deny framing by using the X-Frame-Options (XFO) server header. Unfortunately there is a slight quirk in this feature's implementation which has left some sites vulnerable to clickjacking in spite of their use of XFO.

The problem is with the SAMEORIGIN flag. Intuitively, it sounds like it means 'Only pages from the same origin can frame this'. What it actually means is 'This page can only be framed when window.top is of the same origin'. window.parent does not have to be of the same origin. This is significant if your website frames untrusted/external pages. Let's use an example:

https://skeletonpocs.appspot.com/iframepreview?src=example.com uses X-Frame-Options: SAMEORIGIN to protect itself. It also loads a page in a sandboxed iframe.

http://albinowax.users.sourceforge.net/clickjack.html tries to perform a clickjacking attack but is thwarted by the XFO header. Web browsers will see the flag refuse to load the iframe, so clicking the green circle will have no effect.

However, if the target site can be cajoled into iframing the attack page, we have a problem:
https://skeletonpocs.appspot.com/iframepreview?src=albinowax.users.sourceforge.net/clickjack.html

The fix is simple: if you must iframe untrusted content, use the DENY flag instead of SAMEORIGIN

Update: see clickjacking google for a couple of real attacks using this technique.

No comments:

Post a Comment