Jump to content

How can you tell if you're being framed or clickjacked?


Guest So Called

Recommended Posts

Guest LH91325

I've seen plenty of defenses against being framed (also called frame buster scripts, usually JavaScript) and clickjacking defenses usually use JS too. For every measure there's a counter measure, and for every counter measure there's a counter counter measure. There is only one defense that has no cost: X-Frame-Options headers, except that it only works on modern browsers, and many or most browser users are not using browsers that comply. There is no way to protect your site with X-Frame-Options when obsolete browsers are used. There are plenty ways to use JavaScript to protect your site, but there are unfortunately plenty of ways hijackers can either turn off your script, render it ineffective or just turn off JS altogether in your framne. There is a CSS defense but unfortunately it renders your site unusable to visitors who have JS turned off. Too high a price! What I'm thinking is "forewarned is forearmed." Maybe for the present it's good enough to know when you're being 'jacked or 'scraped, even if you can't do anything about it. At least you can find offending sites, and maybe knowing who they are you can block them. Or even if you can't block them you can understand who your enemies are and what tactics they're using. I've been giving it some thought, and it seems to me that first of all you need to know if sites are framing you. You can't tell if they are scraping your content and reposting it on their site (other than using a search engine targeted to your content) but I think you can tell if they are using any means to steal your content that involves you serving it up to them (to their site visitors). So far my ideas all involve JavaScript and an active server script like PHP, and of course a database like MySQL. Idea 1: You serve your page and you run a JavaScript that tells your PHP to log via MySQL that you've been framed. If so you can redesign your site JS or track down the attacker. Idea 2: Same as above, if the JS doesn't run then you know for sure either the visitor has JS turned off (or NoScript), or maybe you've been framed by a clever 'jacker who knows how to turn off framed JS. If these are coming from random client addresses then maybe it's just PPL who have their script turned off. Maybe you can find a pattern in these visits (referrer URL?) and track them down to a site that is 'jacking you. Idea 3: That's where you come in. Do you have any more ideas for me? I like the idea that the first step is to determine if it's happening. If it isn't then no further effort needed. If it is happening then you can invest time in countermeasures.

  • Like 5
Link to comment
Share on other sites

Guest So Called

So I'm still thinking about this. I don't know if I'm being framed. Maybe so, maybe not, probably not, but the point is that I don't know. My site is PHP/MySQL. All HTML/CSS/JS, anything the visitor sees in their browser is generated on-the-fly by the index.php script. Images come from an image subdirectory and are served by Apache, but if no image is found (404) then my index.php takes the request and I have built-in ability to serve images from the script too, the images stored in a MySQL table. For example the favicon.ico file is served from index.php, there is no actual image file anywhere else. The main problem in being framed is that for every JavaScript frame buster script you can imagine there is a hacker way of defeating your script. I've been researching frame buster scripts and it's kind of fascinating how many ways there are to keep from being framed, and that each of them can be circumvented. Even worse, a page 'jacker can defeat all of the methods at the same time, by applying all the anti-frame-buster methods at once. These anti-frame-buster methods don't interfere with each other. I figure the first step is to find out which site visitors are executing JavaScripts on my pages. (Additionally this will probably be a good way to tell the human site visits from robot script visits, because web crawlers don't usually execute client side scripts.) I can ignore all site visits where my JavaScript executed. They must be real human visitors, and if my script runs then it wasn't defeated by an anti-frame-buster script. I already have a good idea of all the frequent web crawlers and who they are, so I can ignore Google and Yahoo and even the bad robots I've discovered. After subtracting all those visits I can track down the rest of the traffic (or as much as I want) and see if I can find out why they didn't execute my JavaScript. Maybe that's a hopeless task, maybe not. Maybe it's just a human who has JavaScript switched off, maybe it's a human who is running NoScript or the equivalent. But the point is, I don't know and I won't know unless I see if I can find out. And maybe even then I won't know. :) So the basic problem is to find a way to tell if site visitors have JavaScript enabled. I want to log who has it and who not. The way my site works it calculates everything I send them on-the-fly (content comes from MySql database, just like this forum software we're using). The visitor's browser receives my content, it renders it, and it either executes or doesn't execute any JavaScript. At the same time my PHP script is logging the event to my MySQL database log. Here's where it gets tricky. I think by the time I've logged it the visitor connection is closed. It seems a good place for AJAX but I don't know much more about AJAX than what the letters stand for. Obviously there's a way to leave the connection established so that client side and server side scripts can communicate. That is of course what AJAX is all about. Maybe I can borrow just one simple trick from AJAX, just enough for the client side JavaScript to tell my PHP that it executed, so that I can put that in my log. The script runs, I can log that it ran, the script doesn't run and I can log that it didn't. Another way I can tell if the script executed, without AJAX, I can have my JavaScript access an image on my server. The image won't be there so my index.php will get the request, and I can correlate the presence of the image request right after the site visit with the visitor (same IP address, similar time). No image request means the script didn't run. An image request means the JS was live and running. I can log that. So what do you think? If there's a simple AJAX trick I can use, I can go study enough of AJAX and make that work. Or if not I can probably make the image request thing work. Please let me know if you have any ideas or suggestions.

Link to comment
Share on other sites

I've seen plenty of defenses against being framed (also called frame buster scripts, usually JavaScript) and clickjacking defenses usually use JS too. For every measure there's a counter measure, and for every counter measure there's a counter counter measure.
So the victim is running malicious Javascript?
Link to comment
Share on other sites

Guest So Called

Website owners put "frame buster" JavaScript in their web pages to keep from being framed. Frame 'jackers include JavaScripts in their frame 'jacking sites that turns off the code in the browsers that would have redirected them to the legitimate owner's site. The victim is the owner of the content who operates the site that is being framed. Oh, forgot to add, if it's click 'jacking then the site visitor can be a victim too. 'Jackers can steal everything from FB "likes" to passwords, credit card information, by being the man in the middle between a legitimate site and a legitimate visitor.

Edited by So Called
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...