Chenxi Wang

I am at the first national OWASP conference in New York this week, giving a talk on Web 2.0, consumerization, and application security. There is much discussion at the conference about "clickjacking," partially because the researchers weren’t given permission to do an open session, which of course further fanned the interest.

Earlier today, CERT issued a statement on clickjacking, warning that multiple browsers, including IE, Firefox, Safari, Opera, and Chrome, are all vulnerable to the attack.

So what is clickjacking? The exact technical details of this attack and the associated vulnerabilities are a bit fuzzy at this point. But essentially, clickjacking constitutes an attack that inserts itself in the middle of a user’s interaction with a Web page through clicking buttons. Whenever a user clicks on a button in a Web page, the infected browser can get the user to perform any arbitrary click-related function, including redirecting the browser to a third-party site, replacing the legitimate “onclick” function with a different function, etc. This attack is different from the traditional code-inject attacks that overlay invisible iFrame on top of Web pages, because this attack does not require the compromise of server-side code. The browser alone can wreak havoc.

How serious is the clickjacking vulnerability? The researchers reported that the vulnerability does affect all popular browsers, which means it will affect a huge population of users.

How soon can we expect a fix? The answer is "don’t know" at this point. It is obvious that the vulnerability has something to do with the browser code that handles user input and the javascripts that perform the "onclick" function. As such, Microsoft, Mozilla, and Apple are reportedly working on the fix, which was partially the reason that the researchers weren’t able to talk about the flaw openly at OWASP.

What should you do in the meantime? The only answer available today is using Firefox with the NoScript option. NoScript allows you to turn off javascripts at the browser level. User be warned: it will negatively affect your browsing experience; many sites will appear broken. But it is, for now, the most effective measure against someone who might exploit this vulnerability.