clickjane.css: A CSS User Style Sheet to Help Detect and Avoid Clickjacking Attacks

Clickjacking or, more formally, user interface redressing, is a class of security vulnerabilities similar to phishing scams. The technique uses web standards to trick unsuspecting victims into performing actions they were not intending to.

Clickjacking does not rely on bugs in any software. Instead, the technique is simply an abuse of the growing graphical capabilities that advanced web standards like CSS provide to web browsers. A good introduction to clickjacking is provided by Steve Gibson and Leo Laporte on their Security Now! podcast.

As far as I’m aware, only Firefox when combined with the NoScript add-on and Internet Explorer when combined with the GuardedID product provide any measure of protection against clickjacking attacks. To date no other browser can detect, alert, or otherwise help you to avoid or mitigate the risks of clickjacking attacks.

That said, there’s gotta be something users of other browsers can do. Well, it may not be as much as what NoScript can do, but there is something: use a user style sheet to help expose common clickjacking attack attempts.

clickjane.css helps detect clickjacking attacks for all browsers

Until browser manufacturers provide built-in protections against clickjacking attacks in their software (which is arguably the best place for such logic in the first place), I’ve started putting together a user style sheet I’m calling clickjane.css that attempts to instantly reveal common clickjacking attempts. Since it’s a CSS user style sheet, this approach should be cross-browser compatible so that users of any browser including Safari, Opera, and other browsers that don’t have other means of protecting against clickjacking attacks can use it.

I’ve only recently learned about this class of exploits and so I’m not supremely well-informed on the topic. As a result, the clickjane.css file is relatively sparse and currently only reveals what I’m sure is a small set of clickjacking attmpts. However, as I research the topic further and learn more about the actual underlying HTML and CSS that clickjacking uses, I’ll be updating the clickjane.css code to reveal those attempts as well.

Naturally, contributions and assistance in any form are most welcome! Learn more about clickjane.css as well as how to use it at the Clickjane CSS Github wiki.

Before and after clickjane.css

Here are two example screenshots of a benign clickjacking demo.

  1. Before:
    Screenshot of Safari before clickjane.css is used to expose clickjacking attempts.
    Screenshot of Safari before clickjane.css is used to expose clickjacking attempts.
  2. After:
    Screenshot of Safari after clickjane.css is used to expose clickjacking attempts.
    Screenshot of Safari after clickjane.css is used to expose clickjacking attempts.

Good habits you should get into to mitigate clickjacking risks

Here is a list of behaviors that you should make habitual while you browse the web. Engaging in these behaviors can dramatically reduce the likelihood that you will be victimized by a clickjacking attack.

More resources to learn about clickjacking

Translations of this article:

24 replies on “clickjane.css: A CSS User Style Sheet to Help Detect and Avoid Clickjacking Attacks”

  1. I’ve only researched NoScript’s handling of clickjacking protection, as I use Firefox and very rarely use Internet Explorer for anything other than compatibility checks while developing. It was the Wikipedia article on clickjacking where I learned about GuardedID. It reads:

    Protection against clickjacking is provided for Internet Explorer by GuardedID.

    which is everything that I know about it. :) If I’m to hazard a guess, though, I’d imagine it’s not dissimilar from NoScript’s behavior, which (as I’m sure you know) brings up a dialogue when you click on a partially visually obscured element.

  2. Just caught this article and though I would respond.

    GuardedID is a great product. I’ve been using it for over a year. I was so impressed with the fact they jumped right on “clickjacking” threat and have protection by way of an ALERT. If you see a white opaque box with a red dotted line around it and the white opacity doesn’t disappear, this is your warning the area may contain embedded malicious code which we know as “clickjacking” now. So I know NEVER to click on the area for fear it could be a fake website too.

    I’m super paranoid about identity theft because it happened to me 12 years ago and it took from then until March of 2008 (thanks to new laws) for me to stop getting harrassed by collection agencies and to get fraud charges off my credit report. This has been a HORRIBLE experience plagung me for YEARS!

    I got GuardedID to provide keystroke encryption which eased my paranoia of doing anything online. THEN with the latest release that came out a few weeks ago, I saw they added another cool feature… letting you know if you have a keylogger installed on your system! Low and behhold when I upgraded, I instantly got a keyboard driver WARNING! Even told me what the driver in question was. Scared the c— out of me. Still have to take my computer in to have my technician check out this driver warning.

    I’m not worried because anything I type when online is protected by GuardedID anyway. I just need to get my suspicious driver issue taken care of.

    GuardedID is THE best tool for keyboard protection. If I’m correct, it’s also patent-pending and the keylogger warning is AWESOME!

    EVERYONE should have this! It works on IE and Firefox too.

  3. To be clear, clickjacking is a very different attack from key logging. Also, on principle, a compromised system can’t be ultimately trusted regardless of what other software is running, NoScript or GuardedID not excepted. Again, this is where a difference between clickjacking—which is constrained within the browser or in a particular user interface—differs from things like malware or software viruses.

  4. I am getting really fed up of spyware and stuff like viruses. There doesn’t seem to be a regulatory body that can find these people and prosecute them for the waste of man-years. The site I link to is a good starter for free internet security to defend yourself with. Basically – Firefox, a free virus checker, Spybot and Spywareblaster coupled with a good firewall policy will stop most rubbish before you notice it on your machine. Stopping attacks on a website is where I would need help.

  5. I wasn’t aware of this type of sneaky attacks. I’ll be implementing your solution.

    I noticed that when i tried to check your clickjacking demo I keep getting automatically redirected to – is this because I’m not logged in to or is some type of security measure I have in my browser which is protecting me from this attack?

    I’m guessing is the first one but I’d like to get confirmation – without registering in mySpace.

    I’m using the latest version of Firefox that came out yesterday 3.0.12



  6. Ivan, since clickjacking has gotten a bit more press, has implemented a simple JavaScript solution to redirect users who are viewing their site within a frame to the homepage. To see the demo, disable JavaScript in your browser (and if you’re using No-Script with Firefox, temporarily disable that, too), and then try to view the demo again.

Comments are closed.