0
1
Mahesh Radadiya
answered Nov 30 '-1 00:00
From Mozilla
Clickjacking. In this attack a malicious user hijacks clicks meant for a visible top level site and routes them to a hidden page beneath. This technique might be used, for example, to display a legitimate bank site but capture the login credentials into an invisible <iframe> controlled by the attacker. It could alternatively be used to get the user to click a button on a visible site, but in doing so actually unwittingly click a completely different button. As a defence your site can prevent itself from being embedded in an iframe in another site by setting appropriate HTTP headers.
mostly <frame>, <iframe> or <object> used to clickjacking attacks
HTTP response header have some attribute which can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> .
X-Frame-Options
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/
how to send X-Frame-Options header response to browser by Server ?
By Server Itself by configuring it
Apache Server
put following in site's configure , to configure Apache to send the X-Frame-Options header for all page
Header always append X-Frame-Options SAMEORIGIN
nginx Server
put following in site's location configuration, to configure nginx to send the X-Frame-Options header for all page
add_header X-Frame-Options SAMEORIGIN;
IIS Server
put following in site's Web.config , to configure nginx to send the X-Frame-Options header for all page
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
0
Mitul Dabhi
answered Nov 30 '-1 00:00
what is clickjacking attack ?
in clickjacking attack , people put your website/page to their website by through the iframe or other way
suppose
example1.com embed example.com by iframe
<html>
<body>
<iframe src="www.example.com" ></iframe>
</body>
how to prevent clickjacking attack ?
so to avoid clickjacking attack following code we can put in our site (example.com in our case)
put this javascript/css code in <head> tag of your webpage
<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
if (self === top) {
var antiClickjack = document.getElementById("antiClickjack");
antiClickjack.parentNode.removeChild(antiClickjack);
} else {
top.location = self.location;
}
</script>
let me explain code little bit
<style id="antiClickjack">body{display:none !important;}</style>
body{display:none will make blank page . untill script conform that we are not attacked
self return current url , it means if it in iframe than iframe src
top return browsed url , which in location bar of the web browser
if self != top than redirect to main website url by top.location =self.location
if current url is browsed url means self==top than remove body{display:none
Best-for-now Legacy Browser Frame Breaking code,good -
jagdish
Oct 4 '16 06:53
its first level security . what about the other layers ? -
ajamil
Oct 4 '16 07:20
good but what this script do ?how it work ? -
sec8
Oct 4 '16 09:11
0
jagdish
answered Nov 30 '-1 00:00
put this javascript code at <head> tag to avoid your website content is not embedded into other sites by <iframe> or <frame>
<script>
if (self !== top) {
top.location = self.location;
}
</script>
simple and sweet , isnt it