The Clickjacking attack and X-Frame-Options

Clickjacking 

Clickjacking is a type of “web framing” or “UI redressing” attack. What that simply means in practice is that:

1. A user (victim) is shown an innocuous, but enticing web page (think watch online video)
2. Another web page (that generally does something important – think add friends on social network) is layered on top of the first page and set to be transparent
3. When the user thinks they are clicking on the web page they see (video), they are actually clicking on the higher layered (framed) page that is transparent


There are two main ways to prevent clickjacking:
1.    Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
2.    Employing defensive code in the UI to ensure that the current frame is the most top level window

Using X-Frame-Options
X-Frame-Options originally invented by Microsoft for IE8, but supported by a number of browsers, this idea might have more uses than what it was intended for originally. 
There are three possible values for X-Frame-Options:
DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.
In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
  

Configuring IIS

To configure IIS to send the X-Frame-Options header, add this your site's Web.config file:

<system.webServer>
  ...

  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>

  ...
</system.webServer>



 Employing defensive code or Frame Busting
It is possible to block the navigation caused by top.location assignment, in the onbeforeunload event. 
The handler of this event returns a string which becomes a question to the user, asking him whether he wants to leave the page or not. The outer window is located at the evil domain, so of course, the hacker may put any question there, and the user will believe and him stay. It’s always like that. 


<script>
if(top != window) {
               top.location = window.location
         
}
</script>

<script>
window.onbeforeunload = function() {
           window.onbeforeunload = null
           return "Maybe you want to leave the page, before you become rich?!?"
}
</script>

<iframe src="http://javascript.info/files/tutorial/window/changetop.html"style="height:80px"></iframe>


The most reliable method is to suspend showing the document until the top == window check

<head>
  <style> body { display : none;} </style>

</head>
<body>


<script>

  if (self == top) {
    var theBody = document.getElementsByTagName('body')[0]

    theBody.style.display = "block"
  } else {

    top.location = self.location
  }

</script>


</body>




 In the example above, we use document.getElementsByTagName('body') instead of document.body, because this way of getting BODY it works in all browsers when the document is not ready.

Summary:
Clickjacking is easy to implement. As far as there is an action on your site that can be done with a single click - it may be clickjacked. An attacker can ensure that the visitor is logged into your site by social engineering. Or on some sites it is possible to send a message to a user with the “Happy Link”. The user will browse his site mail and click on it, then be clickjacked.. Many variants are possible. It is recommended that you use the X-Frame-Options at pages which are not meant to run into a frame. The older frame busting method is less effective, but useful for older browsers, like IE7.

Comments

Post a Comment

Popular posts from this blog

Data Bound Controls in ASP.Net - Part 4 (FormView and DetailsView controls)

FormView The FormView control is used to display a single record from a data source. It is similar to the DetailsView control, except it displays user-defined templates instead of row fields. Creating your own templates gives you greater flexibility in controlling how the data is displayed. The FormView control supports the following features: ·          Binding to data source controls, such as SqlDataSource and ObjectDataSource. ·          Built-in inserting, updating and deleting capabilities. ·          Built-in paging capabilities. ·          Programmatic access to the FormView object model to dynamically set properties, handle events, and so on. ·          Customizable appearance through user-defined templates, themes, and styles. Templates For the FormView control to display content, you need to create templates for the different parts of the control. Most templates are optional; however, you must create a template for the mode in which the control is configur
Read more

JavaScript - ES2015 (aka ES6)

The ES2015 Since this long time passed between ES5.1 and ES6, the release is full of important new features and major changes in suggested best practices in developing JavaScript programs. To understand how fundamental ES2015 is, just keep in mind that with this version, the specification document went from 250 pages to ~600. In this blog, we describe the most important changes. Arrow Functions A new  this   scope Promises Generators let   and  const Classes Constructor Super Getters and setters Modules Importing modules Exporting modules Template Literals Default parameters The spread operator Destructuring assignments Enhanced Object Literals Simpler syntax to include variables Prototype super() Dynamic properties For-of loop Map and Set New String methods New Object methods Arrow functions Arrow functions since their introduction changed how most JavaScript code looks (and works). Visually, it’s a simple and welcome change, from: cons
Read more