Web framing attacks such as clickjacking use iframes to hijack a user’s web session. The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame. We study frame busting practices for the Alexa Top-500 sites and show that all can be circumvented in one way or another. Some circumventions are browser-specific while others work across browsers. We conclude with recommendations for proper frame busting.
Busting frame busting a study of clickjacking vulnerabilities on popular sites
Available Media | Publication (Pdf) Slides (pdf) |
Conference | Web 2.0 Security and Privacy (W2SP) - 2010 |
Authors | Gustav Rydstedt , Elie Bursztein , Dan Boneh , |
Citation |