Use NoScript to protect yourself from Clickjacking

Posted September 26th, 2008 at 5:05 AM by Anti-Trend

With all the hubbub about Clickjacking (gag, buzzwords!), I thought it would be valuable to write a brief article on the topic.

What it is

Details are still being suppressed at this point, but it appears to be an IFRAME manipulation used to effectively cover a normal web link with a trusted site that appears good and proper, with a bad one to an attacker site. That is, in its currently disclosed form. The implication is that it could potentially be a lot nastier, maybe even 100% automated. In any case, this attack could conceivably be used for phishing or host exploitation.

Who it affects

Basically, any modern browser which supports IFRAMEs. This includes any reasonably current versions of IE, Firefox/Mozilla, Safari, Flock, Opera, etc. So, pretty much everybody. It doesn’t include browsers which don’t support IFRAMEs, such as lynx or elinks.

How to protect against it

Essentially, the fix will ultimately involve a re-thinking of how browsers (and perhaps web developers) handle IFRAMEs. In the meantime, you can provide yourself at least a modicum of protection by using the NoScript plugin.

  1. Download and install Firefox
  2. In Firefox, download and install the NoScript plugin
  3. Navigate in Firefox to Tools –> Addons
  4. Highlight NoScript and click Preferences
  5. Click the Plugins tab and make sure “Forbid IFRAME” is checked

Or, you can view our brief video tutorial here.

Comments

2 Responses to “Use NoScript to protect yourself from Clickjacking”

  1. hackademix.net » Clickjacking and NoScript on September 27th, 2008 1:47 AM

    [...] will need a confirmation to be activated, therefore “blind clicks” become impossible. Zone 365 and Hardware Forums created a short video tutorial about this setting. If you want to be protected [...]

  2. Anti-Trend on October 13th, 2008 8:52 AM

    Note: There’s lots of new anti-clickjacking goodies in the latest NoScript, so make sure you’re running the latest build! :)

    http://noscript.net/faq#clearclick

Got something to say? (Login or Register)





XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>