Busting frame busting: a study of clickjacking vulnerabilities at popular sites

Full textClick to download.
CitationIn proceedings of IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010).
AuthorsG. Rydstedt
E. Bursztein
D. Boneh
C. Jackson


Web framing attacks such as clickjacking use iframes to hijack a user's web session. The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame. We study frame busting practices for the Alexa Top-500 sites and show that all can be circumvented in one way or another. Some circumventions are browser-specific while others work across browsers. We conclude with recommendations for proper frame busting.

Back to publications
Back to previous page