Frametrapping the framebusting defence

• Published in: Network security Vol. 2011; no. 10; pp. 8 - 12
• Main Authors: Sood, Aditya K, Enbody, Richard J
• Format: Journal Article
• Language: English
• Published: Kidlington Elsevier B.V 01.10.2011; Elsevier BV
• Subjects: Computer programming; Cybersecurity; Framing; Hackers; HTML; Interactive; Parents; Security; User interfaces; Web browsers; Websites; World Wide Web
• ISSN: 1353-4858; 1872-9371
• DOI: 10.1016/S1353-4858(11)70105-2

Framebusting code can prevent one type of clickjacking, but new features of HTML 5 allow a malicious developer to nullify this protection. New iframe attributes – currently supported only by Google Chrome but likely to be introduced on other browsers – can bypass the protection mechanisms provided by framebusting code. Although the new iframe attributes have been introduced to improve the user experience, they can also be exploited to launch successful web attacks, including clickjacking, explain Aditya Sood and Richard Enbody of Michigan State University. Iframes are interactive frames that are placed in web pages to show third-party content as a part of the parent website. As a result, the third-party content becomes inline with the parent web page. However, iframes can also be used to conduct web-based attacks. One of the most pernicious types of attack, clickjacking, depends on framing the website in an iframe and then using User Interface (UI) redressing attacks to exploit the trust that users have with legitimate websites. 1