Asked 8 years ago
3 Oct 2016
Views 2923
sec8

sec8 posted

how to avoid Clickjacking attacks

for some security reason , i want to make sure my website content is not embedded into other sites by <frame> or <iframe> ? so let me know if any solution for it
Mahesh Radadiya

Mahesh Radadiya
answered Nov 30 '-1 00:00

From Mozilla


Clickjacking. In this attack a malicious user hijacks clicks meant for a visible top level site and routes them to a hidden page beneath. This technique might be used, for example, to display a legitimate bank site but capture the login credentials into an invisible <iframe> controlled by the attacker. It could alternatively be used to get the user to click a button on a visible site, but in doing so actually unwittingly click a completely different button. As a defence your site can prevent itself from being embedded in an iframe in another site by setting appropriate HTTP headers.



mostly <frame>, <iframe> or <object> used to clickjacking attacks

HTTP response header have some attribute which can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> .

X-Frame-Options


X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/


how to send X-Frame-Options header response to browser by Server ?

By Server Itself by configuring it

Apache Server

put following in site's configure , to configure Apache to send the X-Frame-Options header for all page

Header always append X-Frame-Options SAMEORIGIN


nginx Server

put following in site's location configuration, to configure nginx to send the X-Frame-Options header for all page

add_header X-Frame-Options SAMEORIGIN;


IIS Server

put following in site's Web.config , to configure nginx to send the X-Frame-Options header for all page

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
</system.webServer>


Mitul Dabhi

Mitul Dabhi
answered Nov 30 '-1 00:00

what is clickjacking attack ?

in clickjacking attack , people put your website/page to their website by through the iframe or other way

suppose
example1.com embed example.com by iframe


<html>
<body>
<iframe src="www.example.com" ></iframe>
</body>


how to prevent clickjacking attack ?

so to avoid clickjacking attack following code we can put in our site (example.com in our case)

put this javascript/css code in <head> tag of your webpage


<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
        antiClickjack.parentNode.removeChild(antiClickjack);
 
 } else {
       top.location = self.location;
   }
   </script> 


let me explain code little bit


 <style id="antiClickjack">body{display:none !important;}</style>


body{display:none will make blank page . untill script conform that we are not attacked

self return current url , it means if it in iframe than iframe src
top return browsed url , which in location bar of the web browser
if self != top than redirect to main website url by top.location =self.location

if current url is browsed url means self==top than remove body{display:none
Best-for-now Legacy Browser Frame Breaking code,good - jagdish  
Oct 4 '16 06:53
its first level security . what about the other layers ? - ajamil  
Oct 4 '16 07:20
good but what this script do ?how it work ? - sec8  
Oct 4 '16 09:11
jagdish

jagdish
answered Nov 30 '-1 00:00

put this javascript code at <head> tag to avoid your website content is not embedded into other sites by <iframe> or <frame>

<script>
if (self !== top) {
        top.location = self.location;
   }
   </script>


simple and sweet , isnt it
Post Answer