How to protect against clickjacking attacks using framebusting techniques
Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
Understand What Clickjacking Is
Clickjacking is a type of attack that tricks a user into clicking on a malicious link or button without their knowledge. It is a form of social engineering attack that takes advantage of the trust users have in a website or application. The attacker will use multiple transparent or opaque layers to disguise the malicious link or button, making it appear as if it is part of the legitimate page. When the user clicks on the link or button, they are unknowingly taken to a malicious page or application.
Use Framebusting Techniques
Framebusting is a technique used to prevent clickjacking attacks. It works by detecting when a page is being loaded in a frame and then breaking out of the frame. This prevents the malicious page from being loaded in the frame and the user from being tricked into clicking on the malicious link or button.The most common way to implement framebusting is to use the JavaScript
window.top.location command. This command will check if the page is being loaded in a frame and, if it is, it will break out of the frame and redirect the user to the top-level page.
Use X-Frame-Options
Another way to protect against clickjacking attacks is to use the X-Frame-Options HTTP response header. This header tells the browser whether or not a page can be loaded in a frame. If the header is set to "DENY", then the page cannot be loaded in a frame.The X-Frame-Options header can be set in the HTTP response headers of the page or in the web server configuration. For example, in Apache, the header can be set using the following directive:
Header set X-Frame-Options DENYUse Content Security Policy
Content Security Policy (CSP) is a security mechanism that can be used to protect against clickjacking attacks. CSP is a set of rules that are sent in the HTTP response headers of a page. These rules tell the browser which content can be loaded on the page and which content should be blocked.For example, the following CSP rule will block all content from being loaded in a frame:
Content-Security-Policy: frame-ancestors 'none'Use JavaScript
JavaScript can also be used to protect against clickjacking attacks. The most common way to do this is to use the
window.top.location command, as mentioned above.Another way to use JavaScript to protect against clickjacking is to use the
window.frameElement command. This command will check if the page is being loaded in a frame and, if it is, it will return the frame element. This can then be used to detect if the page is being loaded in a frame and take appropriate action.
Use HTML5 Sandbox
The HTML5 sandbox attribute can also be used to protect against clickjacking attacks. The sandbox attribute can be used to restrict the actions that can be performed on a page when it is loaded in a frame.For example, the following HTML code will prevent the page from being loaded in a frame:
Monitor Your Website
Finally, it is important to monitor your website for clickjacking attacks. This can be done by using a web application security scanner to scan your website for vulnerabilities.These scanners will look for common vulnerabilities such as cross-site scripting (XSS) and SQL injection, as well as clickjacking vulnerabilities. If any vulnerabilities are found, they should be addressed as soon as possible.
Conclusion
Clickjacking is a type of attack that tricks a user into clicking on a malicious link or button without their knowledge. To protect against clickjacking attacks, it is important to use framebusting techniques, X-Frame-Options, Content Security Policy, JavaScript, HTML5 Sandbox, and to monitor your website for vulnerabilities.
Useful Links