OWASP [part 1] and ClickJacking defense in .NET

Posted: September 11, 2012 in Code, Security

Love it, you have to love it. OWASP is one of my favourite “.org” and if you want to know about security, it will become also yours.

Now, this is a late night post and it’s more a reminder for me than something for you: tomorrow I will post some security issues I am working on and, clearly, some freshly baked .NET code to protect your website (and to check if it’s vulnerable or not).

In the meantime i leave you something coming huge these days: ClickJacking (did you hear about “twitter worm” or “facebook like stealer”?). The wikipedia definition is awful, but dear OWI has a good one (https://www.owasp.org/index.php/Clickjacking). Just to make it simple: ClickJacking uses iframe properties to put a mask on top of a specific page and hide the content except some part of the page (usually buttons): the result is that you press what you don’t know you’re pressing [simple enough?]

A beautiful example is here: http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

As said before, there is no complete protection against the “sleeping giant”, but this way works just fine for 99% of the known cases:

  1. put a good JS snippet: https://www.owasp.org/index.php/Clickjacking#Best-for-now_implementation
  2. add X-FRAME-OPTIONS security header.

I have a Vb example for this (you can use a simple UserControl and add it to every page you need)…

                    ' Adding X-FRAME-HEADER if configured
                    If [enable x-frame] Then
                        Response.AddHeader("X-FRAME-OPTIONS", [DENY or SAMEORIGIN])
                    End If

                    ' Adding anti-framing if configured
                    If [this page is not frameable] Then

                        ' Create JS snippet
                        Dim sb As New StringBuilder("<script language='javascript' type='text/javascript'>")
                        sb.Append("if (self == top) {")
                        sb.Append(" var theBody = document.getElementsByTagName('body')[0];")
                        sb.Append(" theBody.style.display = 'block';")
                        sb.Append(" } else { ")
                        sb.Append(" top.location = self.location; ")

                        ' Adding it, if the script is not already registered
                        If Not Page.ClientScript.IsClientScriptBlockRegistered(Page.GetType(), "FixClickJack") Then
                            Page.ClientScript.RegisterClientScriptBlock(Page.GetType(), "FixClickJack", sb.ToString())
                        End If

                    End If

(*) every time you see code, you have to substitute what’s contained in bracket with your values… and remember: when you work on existing code, always enable new behavior using a configuration, so you can control regressions!

Easy as that, and for a couple of years you should be ok.

See you tomorrow!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s