Let's say you don't want other sites to "frame" your site in an <code><iframe></code>: <pre class="prettyprint"><code><iframe src="http://example.org"></iframe> </code></pre> So you insert anti-framing, frame busting JavaScript into all your pages: <pre class="prettyprint"><code>/* break us out of any containing iframes */ if (top != self) { top.location.replace(self.location.href); } </code></pre> Excellent! Now you "bust" or break out of any containing iframe automatically. Except for one small problem. As it turns out, your frame-busting code can be busted, as shown here: <pre class="prettyprint"><code><script type="text/javascript"> var prevent_bust = 0 window.onbeforeunload = function() { prevent_bust++ } setInterval(function() { if (prevent_bust > 0) { prevent_bust -= 2 window.top.location = 'http://example.org/page-which-responds-with-204' } }, 1) </script> </code></pre> This code does the following: <ul> <li>increments a counter every time the browser attempts to navigate away from the current page, via the <code>window.onbeforeunload</code> event handler</li> <li>sets up a timer that fires every millisecond via <code>setInterval()</code>, and if it sees the counter incremented, changes the current location to a server of the attacker's control</li> <li>that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere</li> </ul> My question is -- and this is more of a JavaScript puzzle than an actual problem -- how can you defeat the frame-busting buster? I had a few thoughts, but nothing worked in my testing: <ul> <li>attempting to clear the <code>onbeforeunload</code> event via <code>onbeforeunload = null</code> had no effect</li> <li>adding an <code>alert()</code> stopped the process let the user know it was happening, but did not interfere with the code in any way; clicking OK lets the busting continue as normal</li> <li>I can't think of any way to clear the <code>setInterval()</code> timer</li> </ul> I'm not much of a JavaScript programmer, so here's my challenge to you: hey buster, can you bust the frame-busting buster?

FWIW, most current browsers support the X-Frame-Options: deny directive, which works even when script is disabled. IE8: http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx Firefox (3.6.9) https://bugzilla.mozilla.org/show_bug.cgi?id=475530 https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header Chrome/Webkit http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html http://trac.webkit.org/changeset/42333

Frame Buster Buster ... buster code needed

Let's say you don't want other sites to "frame" your site in an <iframe>:

<iframe src="http://example.org"></iframe>

So you insert anti-framing, frame busting JavaScript into all your pages:

/* break us out of any containing iframes */ if (top != self) { top.location.replace(self.location.href); }

Excellent! Now you "bust" or break out of any containing iframe automatically. Except for one small problem.

As it turns out, your frame-busting code can be busted, as shown here:

<script type="text/javascript">     var prevent_bust = 0       window.onbeforeunload = function() { prevent_bust++ }       setInterval(function() {         if (prevent_bust > 0) {           prevent_bust -= 2           window.top.location = 'http://example.org/page-which-responds-with-204'         }       }, 1)   </script>

This code does the following:

increments a counter every time the browser attempts to navigate away from the current page, via the window.onbeforeunload event handler
sets up a timer that fires every millisecond via setInterval(), and if it sees the counter incremented, changes the current location to a server of the attacker's control
that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere

My question is -- and this is more of a JavaScript puzzle than an actual problem -- how can you defeat the frame-busting buster?

I had a few thoughts, but nothing worked in my testing:

attempting to clear the onbeforeunload event via onbeforeunload = null had no effect
adding an alert() stopped the process let the user know it was happening, but did not interfere with the code in any way; clicking OK lets the busting continue as normal
I can't think of any way to clear the setInterval() timer

I'm not much of a JavaScript programmer, so here's my challenge to you: hey buster, can you bust the frame-busting buster?

What is frame buster?

a study of clickjacking vulnerabilities at popular sites. Web framing attacks such as clickjacking use iframes to hijack a user's web session. The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame.

How does frame busting work?

Frame busting refers to code or annotation provided by a web page intended to prevent the web page from being loaded in a sub-frame. Frame busting is the recommended defense against clickjacking [10] and is also required to secure image-based authentication such as the Sign-in Seal used by Yahoo.

FWIW, most current browsers support the X-Frame-Options: deny directive, which works even when script is disabled.

IE8:
http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

Firefox (3.6.9)
https://bugzilla.mozilla.org/show_bug.cgi?id=475530
https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header

Chrome/Webkit
http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html
http://trac.webkit.org/changeset/42333

Frame Buster Buster ... buster code needed

Tags:

javascript

html

iframe

framebusting

Jeff Atwood

People also ask

1 Answers

EricLaw

Recent Activity

Donate For Us

Frame Buster Buster ... buster code needed

Tags:

javascript

html

iframe

framebusting

Jeff Atwood

People also ask

1 Answers

EricLaw

Related questions

Recent Activity

Donate For Us