Busting frame busting:

a study of clickjacking vulnerabilities at popular sites

Web framing attacks such as clickjacking use iframes to hijack a user's web session. The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame. We study frame busting practices for the Alexa Top-500 sites and show that all can be circumvented in one way or another. Some circumventions are browser-specific while others work across browsers. We conclude with recommendations for proper frame busting.

A research question: this page contains our proposed Javascript frame busting code. This code resists the attacks in the paper, but we cannot guarantee that the page cannot be framed. If you are able to write HTML that frames this page, please send us a link. See also related discussion.

Framing Attacks on Smart Phones

While many popular web sites on the Internet use frame busting to defend against clickjacking, very few mobile sites use frame busting. Similarly, few embedded web sites such as those used on home routers use frame bust- ing. In this paper we show that framing attacks on mobile sites and home routers can have devastating effects. We develop a new attack called tap-jacking that uses features of mobile browsers to implement a strong clickjacking at- tack on phones. Tap-jacking on a phone is more powerful than traditional clickjacking attacks on desktop browsers. For home routers we show that framing attacks can result in theft of the wifi WPA secret key and a precise geo- localization of the wifi network. Finally, we show that overlay-based frame busting, such as used by Facebook, can leak private user information.