On CBS.com: Exclusive video from MEDIUM
BNET Business Network:
BNET
TechRepublic
ZDNet

September 25th, 2008

Firefox + NoScript vs Clickjacking

Posted by Ryan Naraine @ 2:59 pm

Categories: Adobe, Apple, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Exploit code, Flash, Hackers, Malware, Passwords, Pen testing, Phishing, Responsible disclosure, Vulnerability research, Web 2.0, Web Applications

Tags: Mozilla Firefox, Web Browsers, Internet, Ryan Naraine

Firefox + NoScript vs ClickjackingIn response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:

Hi Ryan,

I’ve seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].

I had access to detailed information about how this attack works and I can tell you the following:

  1. It’s really scary
  2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
  3. For 100% protection by NoScript, you need to check the “Plugins|Forbid <IFRAME>” option.

Cheers,
Giorgio

I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue.  In a nutshell, I was told that it’s indeed “very, freaking scary” and “near impossible” to fix properly.

Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 41 Talkback(s)
On the NoScript plugin
I have been using NoScript on mozilla since I first started using it, and it has been very good about updating regularly. It allows me to see what scripts are on the page, and lets me choose whether t... (Read the rest)
Posted by: gene_fitz@... Posted on: 10/30/08 You are currently: a Guest | | Terms of Use
"near impossible to fix properly"  LBiege | 09/25/08
One day, the browser will be your desktop............................ nt  T1Oracle | 09/25/08
reminds me of ...  LBiege | 09/25/08
One day people will realize that's a dream, not a reality (nt)  CobraA1 | 09/25/08
Yes, the Windows 2000 days...  phatkat | 09/26/08
RE: Firefox NoScript vs Clickjacking  BrettGlass | 09/25/08
Q: "For 100% protection by NoScript,..."  rileinc | 09/25/08
100% means...  Giorgio Maone | 09/25/08
From what I can tell  CobraA1 | 09/25/08
Good Post(nt)  Real World | 09/26/08
Never liked frames anyway  djchandler | 09/26/08
iFrames are from the devil anyway  Chad_z | 09/26/08
Firefox updates  bfilipiak@... | 09/26/08
As of Sept. 26th - FireFox 3.0.3 is the latest version  Peopleunit | 09/27/08
RE: Firefox NoScript vs Clickjacking  vilppuu@... | 09/26/08
Active content  w_c_mead | 09/26/08
Thanks for the post  djchandler | 09/26/08
I love NoScript  Qix77 | 09/26/08
Why not RemoveAdmin?  JCitizen | 09/26/08
Ditto  thx-1138_@... | 09/26/08
Mostly agree  notsofast | 09/27/08
I'm also an old-fashioned man, too, and I like static content.  Grayson Peddie | 10/03/08
Me too, but my customers refuse to do without...  JCitizen | 10/09/08
RE: Firefox NoScript vs Clickjacking  TRIMTI | 09/26/08
Check  seanferd | 09/27/08
Seanferd's right..  JCitizen | 10/09/08
A big threat?  kiapiz | 09/27/08
We still don't have enough detail.  kraterz | 09/28/08
All you need to know.  mikefarinha | 10/08/08
More details here  Giorgio Maone | 09/29/08
Good link....  JCitizen | 10/09/08
Clickjacking  RayG314 | 10/02/08
Hmm...does it work now?  kcredden2 | 10/08/08
I did that too with no problems...  JCitizen | 10/09/08
Latest version of NoScript supports "clearclick" protection  D. W. Bierbaum | 10/08/08
How does this affect "Cloud Computing" and such???  pfyearwood | 10/08/08
Do you really need to be online 24/7?  Me_too | 10/08/08
Online 24/7 - No!  jr6408 | 10/08/08
RE: Firefox NoScript vs Clickjacking  Crogon | 10/08/08
RE: Firefox NoScript vs Clickjacking  bruceslog | 10/12/08
On the NoScript plugin  gene_fitz@... | 10/30/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here