Comments on: anti anti Frame Busting

By: Mike

Mike — Fri, 04 Sep 2009 16:31:07 +0000

Hey,

Thanks for the reply. I kind of gave up on the whole thing for a bit because there was (and is) a bunch of stuff that we’re working on.

I was making some compliance updates and SEO enhancements to our main website (the one listed). After I relisted with all the major search engines I saw that we had a bunch of backlinks that were all framed. I decided to revisit the issue and saw that I created a flaw in my code.

I revisited my code and cleaned it up, saw the flaw and moved it our main site. It works like a charm. Thanks so much!

Mike G.

By: coderrr

coderrr — Thu, 23 Jul 2009 16:23:39 +0000

Hey Mike,

You said “set the headers as specified so the page will not cache.”, did you mean to say so the page WILL cache?

Yes, the only reason for the redirect is so you can bust with a page which loads extremely fast so that the parent page doesn’t have time to stop the bust.

Even if you have the login page cached, if it has to load/render images, stylesheets, javascripts, etc. You would have to make sure all of those are cahced as well, and even then there will be time to render the page. It might be too slow.

I’d say try it with a very simple redirect page. Also I’d be interested to see the site which is framing you.

By: Mike

Mike — Wed, 22 Jul 2009 11:37:36 +0000

First off I’d like to thank you for posting this. I originally read about this issue on Jeff’s site. At that time I thought that I’d book mark this link in case I’d ever run into this issue, although at the time I thought I would never need it. Turns out that one of our clients decided to frame our site so that he would have his logo on the page. That turned out to be a big no-no for compliance issues.

Anyhow, I have a couple of questions about the holy grail method. I tried implementing this technique in .NET 3.5 with C#. The log-in page for the app contains an iframe that points to the log-in page. The src tag for the iframe contains a query string param that lets the log-in page in the iframe know that it should set the headers as specified so the page will not cache. I also have the version of the log-in page in the iframe contain no frame busting code.

I would think that it this would allow me to not use a redirect page. The theory goes that the log-in page in the iframe is immediately cached by the browser. The parent log-in frame then contains the busting code as shown above.

Anyhow, my attempt does not work. In IE 7/8 you can hear the navigation sound as the page tries to break out but the frame maintains the upper hand.

My questions are this: What purpose does the redirect serve? It seems like the only reason you are using it is that it is cached and would load very, very quickly. Secondly, do you know of any server based attacks that would prevent the holy grail code? I can not find any script on the client’s frames. If there were script I could analyze what it’s doing and see if I could provide more info or perhaps a solution.

Thanks,
Mike

By: Firefox 3 internals, blocking alerts and XMLHttpRequests « coderrr

Firefox 3 internals, blocking alerts and XMLHttpRequests « coderrr — Mon, 22 Jun 2009 19:25:28 +0000

[...] @ 7:25 pm In my quest to find something which acts similar to an alert() box in Firefox 3 (for anti-anti-frame-busting), but without the annoying user-experience, I discovered a few things that I thought I should [...]

By: coderrr

coderrr — Sun, 21 Jun 2009 11:08:24 +0000

ok so for IE (IE7 at least) you are correct, that did the trick and is just as effective as an alert, great find!

By: coderrr

coderrr — Fri, 19 Jun 2009 10:47:14 +0000

doh… doesn’t look like synchronous xmlhttprequests actually block timers (on FF, presumably IE as well) :/

what’s next?

By: coderrr

coderrr — Fri, 19 Jun 2009 10:25:33 +0000

yes! I think that’s just what I was looking for, awesome! will test this in a second

By: Godfrey Chan

Godfrey Chan — Fri, 19 Jun 2009 10:09:06 +0000

A synchronized XMLHTTP request (blocking) to a page that sleep()s should do the trick.

By: Preventing Frame Busting and Click Jacking (UI Redressing) « coderrr

Preventing Frame Busting and Click Jacking (UI Redressing) « coderrr — Fri, 19 Jun 2009 07:46:15 +0000

[...] by Anti anti frame busting « coderrr — June 18, 2009 @ 4:22 pm [...]

By: Jason Bunting

Jason Bunting — Fri, 19 Jun 2009 06:44:21 +0000

Nice. Again, I only partly know about this stuff, I was actually online at SO the moment Jeff originally posted his question and even gave it a few tries myself before giving up because I was already up late and needed to be done for the day. Hadn’t thought much about it until I saw Jeff’s blog entry about it.

Funny, I thought about a while loop too…

Hope this proves to be a solution, I look forward to the conclusion…