Physical attacks
Mobile Apps Pentesting
Pentesting

Clickjacking

What is Clickjacking

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online. (From here)

How to avoid Clickjacking

This was taken from: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html

Defending with Content Security Policy (CSP) frame-ancestors directive

The frame-ancestors directive can be used in a Content-Security-Policy HTTP response header to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks by ensuring that their content is not embedded into other sites.

frame-ancestors allows a site to authorize multiple domains using the normal Content Security Policy semantics.

Content-Security-Policy: frame-ancestors Examples

Common uses of CSP frame-ancestors:

  • Content-Security-Policy: frame-ancestors 'none';

    • This prevents any domain from framing the content. This setting is recommended unless a specific need has been identified for framing.

  • Content-Security-Policy: frame-ancestors 'self';

    • This only allows the current site to frame the content.

  • Content-Security-Policy: frame-ancestors 'self' *.somesite.com https://myfriend.site.com;

    • This allows the current site, as well as any page on somesite.com (using any protocol), and only the page myfriend.site.com, using HTTPS only on the default port (443).

Note that the single quotes are required around self and none, but may not occur around other source expressions.

See the following documentation for further details and more complex examples:

Limitations

  • Browser support: CSP frame-ancestors is not supported by all the major browsers yet.

  • X-Frame-Options takes priority: Section "Relation to X-Frame-Options" of the CSP Spec says: "If a resource is delivered with an policy that includes a directive named frame-ancestors and whose disposition is "enforce", then the X-Frame-Options header MUST be ignored", but Chrome 40 & Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.

Defending with X-Frame-Options Response Headers

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. Set the X-Frame-Options header for all responses containing HTML content. The possible values are "DENY", "SAMEORIGIN", or "ALLOW-FROM uri"

X-Frame-Options Header Types

There are three possible values for the X-Frame-Options header:

  • DENY, which prevents any domain from framing the content. The "DENY" setting is recommended unless a specific need has been identified for framing.

  • SAMEORIGIN, which only allows the current site to frame the content.

  • ALLOW-FROM uri, which permits the specified 'uri' to frame this page. (e.g., ALLOW-FROM http://www.example.com).

    • Check limitations below because this will fail open if the browser does not support it.

    • Other browsers support the new CSP frame-ancestors directive instead. A few support both.