Posted: Saturday, December 10, 2011

Framebusting Javascript, Clickjacking and SEO

FramebusterHijacking a user's web session using an iframe is known as clickjacking.  A technique called called "frame busting" is the most common defense to break out of the surrounding "enemy" frame.  We developed a variant of the code that the Stanford Web Security Group suggested in their paper Busting Frame Busting: A Study of Clickjacking Vulnerabilities at Popular Sites which examined common frame busting code and the ways it can be circumvented.

 

Most of the current javascript solutions use a conditional statement like

if (top != self

Followed by a counter-action like:

top.location = self.location

The solutions may work if the victim page is enclosed by a single frame but fails when the attacker encloses the victim page in two frames. Double framing is only one attack, other methods examined in the paper include onBeforeUnload events, 204 Flushing, Cross Site Scripting (XSS), Referrer Checking and Clobbering top.location.

So what to do? The paper suggests using the X-Frame-Options HTTP header and creating a Firefox Content Security Policy.

We have coded a javascript variant that we use on pages that require text input like log-in forms, registration forms, password request forms and contact forms and other pages not usually indexed by the search engines. A minor drawback of any javascript solution is that it must be present on all pages that you want to protect from framing attacks. Although we cannot guarantee security - the code may already be vulnerable to unknown attacks - we believe it is currently the correct approach to the problem.

<style type="text/css">
    html { visibility:hidden; }
</style>

<script language="javascript" type="text/javascript">
    if ( self == top ) {
document.documentElement.style.visibility='visible';
    } else {
top.location = self.location;
    }
</script>

The code is simple. On page load the CSS style hides the html. The page will attempt to bust out of the frame but will remain blank if JavaScript is disabled; if the code is blocked by double framing or by unload events; or if the the code is blocked by 204 Flushing, XSS, Referring Checking or Clobbering.

The use of the code on non-indexed pages to prevent framing is highly recommended however there is a caveat for indexed pages.  Because the solution hides content with CSS there may be an unintended impact on Moz Ranking when considering Search Engine Optimization (SEO) for pages indexed by the search engines. We have asked for clarification and will update this post as soon as we hear back from our friends at Google.

Posted: Wednesday, June 29, 2011

2011 Marketing Charts and Assessment Offer

If you enjoy learning new marketing data, you will love our free personal website evaluation. Sign up today to receive a website assessment with a marketing expert!

Posted: Tuesday, January 25, 2011

Birthday Reminder Script

A question came up last week on one of the forums we moderate, I want to create a birthday reminder that displays our customer's birthdays five days in advance of the date. The customer's birthday is formatted as dd/mm/yyyy in a date/time formatted field in an Access database. How do I check the day and month and not include the year? How do I account for the logic when there is a month changeover like if it'sFebruary 26 and I am looking to display the birthdays for the next five days into the...

Read More "Birthday Reminder Script"

Posted: Thursday, January 06, 2011

ASP Data Scraper

Need a quick way to grab all of the text (keywords included) from a site?Here is a simple HTML5 ASP Data Scraper for your use.We're going to pass the long URL of a web site from the form field as RemoteURLand then we will: (1)create an xml object (2) open an HTTP connection to the page indicated in the URL (3) send the request (4) get a response from the server as text and (5) write out the response.' Create the xml object and open connectionSet objXML = CreateObject(Microsoft.XMLHTTP) objXML.Open...

Read More "ASP Data Scraper"