Frame Busting

Posted by on July 19, 2010

An often overlooked security feature for a web application is to not allow the application (especially the login screen) to be embedded in a frame.  This is often referred to “frame busting”.  In some browsers, it is possible to capture the keystrokes in one frame, from the parent window.  This would be a problem with an embedded login form where the malicious attacker embeds a login screen in a different domain and tricks a user to attempting to login.  The attacker could then capture the user name and password for that user to log in at a later time. 

Pages that can be captured in any frame set may also be susceptible to click jacking.  Click jacking is beyond the scope of this post, but more information can be found at http://www.owasp.org/index.php/Clickjacking.

There are a few possibilities to a layered approach to protecting against both of these attacks.  Internet Explorer 8 supports the X-FRAME-OPTIONS response header.   Unfortunately, this is not supported by all browsers.   Mozilla is working on their own directives to do the same thing, with a more robust approach.  Both of these approaches are limited because they are targeted at specific browsers.

Another approach is to add JavaScript to the pages that checks the content against the parent location.  If they are not the same, it breaks out of the frame and loads the content in the main window.  There is a great document discussing research about this topic at Http://seclab.Stanford.edu/websec/framebusting/framebust.pdf

It is important for application developers to assess their designs to make sure frame busting and click jacking are addressed. 

Comments

Comments are closed.