Busting Frame Busting: A Study of Clickjacking Vulnerabilities on Popular Sites
Web framing attacks such as clickjacking use iframes to hijack a user's web session. The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame. The authors study frame busting practices for the Alexa Top-500 sites and show that all can be circumvented in one way or another. Some circumventions are browser-specific while others work across browsers. They conclude with recommendations for proper frame busting. Frame busting refers to code or annotation provided by a web page intended to prevent the web page from being loaded in a sub-frame. Frame busting is the recommended defense against clickjacking and is also required to secure image-based authentication such as the Sign-in Seal used by Yahoo.