Posted tagged ‘server side’

Server-side Clickjack Protection

September 11, 2011

If you’ve been worrying about clickjacking attacks on the websites you visit often, you might be surprised to learn that site’s have the ability to impede these attacks. The fact of the matter is some websites just don’t focus that much on security strategies that would really keep their visitors safe. That isn’t to say that website administrators and developers could prevent all clickjacking attacks, but they could certainly make it harder for hackers to ruin your day.

Quite frankly, social networking sites (especially Facebook) are some of the worst offenders. To some extent, that’s understandable. Consider, for instance, how many people visit Facebook every day. That makes the site a target for clickjackers that want to reach a large audience quickly. Plus, Facebook wants to make it easy for people to share informationĀ  with each other. Any kind of block could negatively affect service.

When it comes down to it, though, more websites could use server-side clickjacking protection. It’s actually pretty easy.

The most common technique is called a framekiller. It’s a piece of JavaScript that prevents a site from loading frames from different sources. Unfortunately, it’s not always reliable. It’s especially easy for fairly advanced hacking techniques to trick Internet Explorer into loading the clickjacked link as asked.

Should websites have more responsibility when it comes to protecting visitors. That depends. A site like Facebook should definitely lead the security development to stop clickjacking. They’re big enough and have enough resources to take on theĀ  problem. Plus, it’s in their best interest to offer more safety to their members. Since Facebook doesn’t have a true competitor, though, the company might not feel too motivated in this area.