Open in app

Sign in

Write

Sign in

How to avoid Clickjacking for you website

Pendem Shiva Shankar
2 min readSep 23, 2022

--

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional page transposed on top of it.

Mitigating clickjacking with X-Frame-Options response header

The X-Frame-Options response header is passed as part of the HTTP response of a web page, indicating whether or not a browser should be allowed to render a page inside a <FRAME> or <IFRAME> tag.

There are three values allowed for the X-Frame-Options header:

  • DENY — does not allow any domain to display this page within a frame
  • SAMEORIGIN — allows the current page to be displayed in a frame on another page, but only within the current domain
  • ALLOW-FROM URI — allows the current page to be displayed in a frame, but only in a specific URI — for example www.example.com/frame-page

Clickjacking test — Is your site vulnerable?

A basic way to test if your site is vulnerable to clickjacking is to create an HTML page and attempt to include a sensitive page from your website in an iframe. It is important to execute the test code on another web server, because this is the typical behavior in a clickjacking attack.

Use code like the following, provided as part of the OWASP Testing Guide:

<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://www.yoursite.com/sensitive-page" width="500" height="500"></iframe>
</body>
</html>

View the HTML page in a browser and evaluate the page as follows:

  • If the text “Website is vulnerable to clickjacking” appears and below it you see the content of your sensitive page, the page is vulnerable to clickjacking.
  • If only the text “Website is vulnerable to clickjacking” appears, and you do not see the content of your sensitive page, the page is not vulnerable to the simplest form of clickjacking.

Simple javascript that allows auto redirect and redirect to the original page

<script>
if (top != window) {
top.location = window.location;
}
</script>

We can block the transition caused by changing top.location in beforeunload event handler.

The top page (enclosing one, belonging to the hacker) sets a preventing handler to it, like this:

window.onbeforeunload = function() {
  return false;
};

there are multiple ways in stopping this handling in different ways, here are some where you can resolve them in easy way

Clickjacking
Shivapendem
JavaScript

--

--

Pendem Shiva Shankar
Pendem Shiva Shankar

Written by Pendem Shiva Shankar

21 Followers
2 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams