OWASP [part 1] and ClickJacking defense in .NET

Posted: September 11, 2012 in Code, Security
0

Love it, you have to love it. OWASP is one of my favourite “.org” and if you want to know about security, it will become also yours.

Now, this is a late night post and it’s more a reminder for me than something for you: tomorrow I will post some security issues I am working on and, clearly, some freshly baked .NET code to protect your website (and to check if it’s vulnerable or not).

In the meantime i leave you something coming huge these days: ClickJacking (did you hear about “twitter worm” or “facebook like stealer”?). The wikipedia definition is awful, but dear OWI has a good one (https://www.owasp.org/index.php/Clickjacking). Just to make it simple: ClickJacking uses iframe properties to put a mask on top of a specific page and hide the content except some part of the page (usually buttons): the result is that you press what you don’t know you’re pressing [simple enough?]

A beautiful example is here: http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

As said before, there is no complete protection against the “sleeping giant”, but this way works just fine for 99% of the known cases:

  1. put a good JS snippet: https://www.owasp.org/index.php/Clickjacking#Best-for-now_implementation
  2. add X-FRAME-OPTIONS security header.

I have a Vb example for this (you can use a simple UserControl and add it to every page you need)…


                    ' Adding X-FRAME-HEADER if configured
                    If [enable x-frame] Then
                        Response.AddHeader("X-FRAME-OPTIONS", [DENY or SAMEORIGIN])
                    End If

                    ' Adding anti-framing if configured
                    If [this page is not frameable] Then

                        ' Create JS snippet
                        Dim sb As New StringBuilder("<script language='javascript' type='text/javascript'>")
                        sb.Append("if (self == top) {")
                        sb.Append(" var theBody = document.getElementsByTagName('body')[0];")
                        sb.Append(" theBody.style.display = 'block';")
                        sb.Append(" } else { ")
                        sb.Append(" top.location = self.location; ")
                        sb.Append("}")
                        sb.Append("</script>")

                        ' Adding it, if the script is not already registered
                        If Not Page.ClientScript.IsClientScriptBlockRegistered(Page.GetType(), "FixClickJack") Then
                            Page.ClientScript.RegisterClientScriptBlock(Page.GetType(), "FixClickJack", sb.ToString())
                        End If

                    End If

(*) every time you see code, you have to substitute what’s contained in bracket with your values… and remember: when you work on existing code, always enable new behavior using a configuration, so you can control regressions!

Easy as that, and for a couple of years you should be ok.

See you tomorrow!

Leave a comment