This is a personal blog. My other stuff: book | home page | Twitter | G+ | CNC robotics | electronics

December 10, 2011

X-Frame-Options, or solving the wrong problem

On modern computers, JavaScript allows you to exploit the limits of human perception: you can open, reposition, and close browser windows, or load and navigate away from specific HTML documents, without giving the user any chance to register this event, let alone react consciously.

I have discussed some aspects of this problem in the past: my recent entry showcased an exploit that flips between two unrelated websites so quickly that you can't see it happening; and my earlier geolocation hack leveraged the delay between visual stimulus and premeditated response to attack browser security UIs.

A broader treatment of these problems - something that I consider to be one of the great unsolved problems in browser engineering - is given in "The Tangled Web". But today, I wanted to showcase another crude proof-of-concept illustrating why our response to clickjacking - and the treatment of it as a very narrow challenge specific to mouse clicks and <iframe> tags - is somewhat short-sighted. So, without further ado:

There are more complicated but comprehensive approaches that may make it possible for web applications to ensure that they are given a certain amount of non-disrupted, meaningful screen time; but they are unpopular with browser vendors, and unlikely to fly any time soon.


  1. In the example I see the moving box to entice a user to click on parts of the screen. However, I'm not seeing how this is clickjacking since these clicks don't appear to be registering on another site.

    Is this demo supposed to demonstrate how JavaScript can be used to easily convince a user to perform specific actions on the page? Or are you attempting to imply that x-frame-options is not a suitable defense to clickjacking? If the latter, can you explain further how x-frame-options would not provide a defense here?

  2. The last click should register.

    Although the PoC is more funny than serious, you can actually a) anticipate clicks very reliably (I explained how); b) toggle between the pages so quickly that the user doesn't even register this is happening (outlined in one of the earlier PoCs).

    The bottom line is that even though the target site uses X-Frame-Options, you can fool the user to interact with it without necessarily knowing, and certainly without having intent to do so. It's not that X-Frame-Options fail to deliver, technically speaking; but that they ultimately don't offer the protection against click / keypress redirection that they are thought to.

  3. Ah, I see now. So you are using the predictive clicking actions to lure the user to click on a specific location on the other page. The "bypass" to x-frame-options is the fact that you leverage a sudden redirect immediately before the final click. So x-f-o won't matter since you aren't framing at all.