LII:Web Application Security Guide/Clickjacking

From LIMSWiki
Revision as of 22:35, 10 August 2016 by Shawndouglas (talk | contribs) (Added further reading)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Clickjacking

In clickjacking attacks, the target site is embedded in an IFRAME on the attacking site and either kept in the background, but mostly covered by other elements or made transparent and kept in the foreground. The user is then incited to click a certain location (e.g. when using the transparency method by placing a button in the background). Instead of the visible button, the click hits the invisible window. The placement of the IFRAME and button is chosen so that the click triggers the action wanted by the attacker (e.g. change settings). As the user is logged into the target site, the click can trigger actions that would otherwise be unreachable for the attacker. Multiple Facebook spam waves were generated using this method.

To prevent this type of attack

  • Prevent (i)framing of your application in current browsers by including the HTTP response header “X-Frame-Options: deny”.
  • Prevent (i)framing in outdated browsers by including a JavaScript frame breaker which checks for (i)framing and refuses to show the page if it is detected.
  • For applications with high security requirements where you expect users to use outdated browsers with JavaScript disabled, consider requiring users of older browsers to enable JavaScript.

Rationale

The X-Frame-Options header is required as JavaScript frame breakers could be ineffective in some newer browsers that allow undetectable framing. However, older, still common browsers ignore the header and thus require additional protection using classic JavaScript based frame breakers. Since (as opposed to the header method) those do not work if JavaScript is disabled, additional measures may be necessary.

Further reading

Notes

The original source for this page is the associated Wikibooks article and is shared here under the CC BY-SA 3.0 license.