Clickjacking and how you can prevent it

The new “bad” is clickjacking where an attacker underlays a malicious web page under a legitimate one, and when you think you’re clicking on one thing, you’re actually clicking on another. We actually use this technique to make it easy to use our phpasndump tool (the Browse button is over top of the entry field so that when you click on it, you’re really clicking on the entry field).

There are multiple vectors of attack, including iframes, javascript, and flash. However, they all do the same thing. The article linked above talks about all of the different types and whether there is a patch available. However, the best defense is one that security people have been harping on for a very long time – disable javascript, disable java, and disable plugins (flash, silverlight, etc). That still leaves one vector open: iframes. Firefox’s NoScript extension can disable those for you (as well as selectively run javascript). This can cause problems for “normal” browsing however, as most of the web is highly dependent on javascript and flash. You’ll have to play with the settings and determine your best mix of usable vs “safe”.