Skip to main content
SpringerLink
Log in

Tamper-Resistant LikeJacking Protection

  • Conference paper
Book cover Research in Attacks, Intrusions, and Defenses (RAID 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8145))

Included in the following conference series:

Abstract

The ClickJacking variant LikeJacking specifically targetsWeb widgets that offer seamless integration of third party services, such as social sharing facilities. The standard defense against ClickJacking is preventing framing completely or allowing framing only in trusted contexts. These measures cannot be taken in the case of LikeJacking, due to the widgets’ inherent requirement to be available to arbitrary Web applications. In this paper, we report on advances in implementing LikeJacking protection that takes the specific needs of such widgets into account and is compatible with current browsers. Our technique is based on three pillars: A JavaScript-driven visibility check, a secure in-browser communication protocol, and a reliable method to validate the integrity of essential DOM properties and APIs. To study our protection mechanism’s performance characteristics and interoperability with productive Web code, we applied it to 635 real-world Web pages. The evaluation’s results show that our method performs well even for large, non-trivial DOM structures and is applicable without requiring changes for the majority of the social sharing widgets used by the tested Web applications.

This work was in parts supported by the EU Project Web- Sand (FP7-256964).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: AsiaCCS (2010)

    Google Scholar 

  2. Barnett, R.: Detecting Successful XSS Testing with JS Overrides. Blog post, Trustwave SpiderLabs (November 2012), http://blog.spiderlabs.com/2012/11/detecting-successful-xss-testing-with-js-overrides.html (last accessed April 7, 2013)

  3. Barth, A., Jackson, C., Mitchell, J.C.: Robust Defenses for Cross-Site Request Forgery. In: CCS 2009 (2009)

    Google Scholar 

  4. Bordi, E.: Proof of concept - cursorjacking (noscript), http://static.vulnerability.fr/noscript-cursorjacking.html

  5. Crockford, D.: Private Members in JavaScript (2001), http://www.crockford.com/javascript/private.html (Janauary 11, 2006)

  6. Grier, C., Tang, S., King, S.T.: Secure Web Browsing with the OP Web Browser. In: IEEE Symposium on Security and Privacy (2008)

    Google Scholar 

  7. Hansen, R., Grossman, J.: Clickjacking (August 2008), http://www.sectheory.com/clickjacking.htm

  8. Heiderich, M., Frosch, T., Holz, T.: IceShield: Detection and mitigation of malicious websites with a frozen DOM. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 281–300. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  9. Hill, B.: Adaptive user interface randomization as an anti-clickjacking strategy (May 2012)

    Google Scholar 

  10. Hill, B.: Anti-clickjacking protected interactive elements (January 2012)

    Google Scholar 

  11. Huang, L.-S., Jackson, C.: Clickjacking attacks unresolved. White paper, CyLab (July 2011)

    Google Scholar 

  12. Huang, L.-S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: attacks and defenses. In: USENIX Security (2012)

    Google Scholar 

  13. Ioannidis, S., Bellovin, S.M.: Building a secure web browser. In: USENIX Technical Conference (2001)

    Google Scholar 

  14. Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: OWASP Europe 2006, refereed papers track (May 2006)

    Google Scholar 

  15. Kotowicz, K.: Cursorjacking again (January 2012), http://blog.kotowicz.net/2012/01/cursorjacking-again.html

  16. Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: WOOT 2012 (2012)

    Google Scholar 

  17. Magazinius, J., Phung, P.H., Sands, D.: Safe wrappers and sane policies for self protecting javaScript. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 239–255. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  18. Maone, G.: Noscript clearclick (January 2012), http://noscript.net/faq#clearclick

  19. Maone, G., Huang, D.L.-S., Gondrom, T., Hill, B.: User Interface Safety Directives for Content Security Policy. W3C Working Draft 20 (November 2012), http://www.w3.org/TR/UISafety/

  20. Microsoft. IE8 Security Part VII: ClickJacking Defenses (2009)

    Google Scholar 

  21. Mustaca, S.: Old Facebook likejacking scam in use again, Avira Security Blog (February 2013), http://techblog.avira.com/2013/02/11/old-facebook-likejacking-scam-in-use-again-shocking-at-14-she-did-that-in-the-public-school/en/

  22. Mozilla Developer Network. delete (February 2013), https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Operators/delete

  23. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. In: CCS 2012 (2012)

    Google Scholar 

  24. Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting javascript. In: ASIACCS 2009 (2009)

    Google Scholar 

  25. Ruderman, J.: Bug 154957 - iframe content background defaults to transparent (June 2002), https://bugzilla.mozilla.org/showbug.cgi?id=154957

  26. Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In: IEEE Oakland Web 2.0 Security and Privacy, W2SP 2010 (2010)

    Google Scholar 

  27. Shepherd, E.: window.postmessage (October 2011), https://developer.mozilla.org/en/DOM/window.postMessage

  28. SophosLabs. Clickjacking (May 2010), http://nakedsecurity.sophos.com/2010/05/31/facebook-likejacking-worm/ (last accessed July 4, 2013)

  29. Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choud-hury, P., Venter, H.: The Multi-Principal OS Construction of the Gazelle Web Browser. In: USENIX Security Symposium (2009)

    Google Scholar 

  30. Wisniewski, C.: Facebook adds speed bump to slow down likejackers (March 2011)

    Google Scholar 

  31. Zalewski, M.: X-frame-options is worth less than you think. Website (December 2011), http://lcamtuf.coredump.cx/clickit/

  32. Zaytsev, J.: Understanding delete (January 2010), http://perfectionkills.com/understanding-delete/

Download references

Author information

Authors and Affiliations

  1. SAP Security Research, Germany

    Martin Johns & Sebastian Lekies

Authors
  1. Martin Johns
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sebastian Lekies
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, 10027, NY, USA

    Salvatore J. Stolfo

  2. Department of Computer Science, George Mason University, 22030, Fairfax, VA, USA

    Angelos Stavrou

  3. Department of Computer Science, Portland State University, 97201, Portland, OR, USA

    Charles V. Wright

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Johns, M., Lekies, S. (2013). Tamper-Resistant LikeJacking Protection. In: Stolfo, S.J., Stavrou, A., Wright, C.V. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2013. Lecture Notes in Computer Science, vol 8145. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41284-4_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-41284-4_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-41283-7

  • Online ISBN: 978-3-642-41284-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation