Protecting your Site From Click Jacking

Hello,

I am writing a post after a long time, because a company who stands within Alexa Rank 100 asked me how to patch site from Click- Jacking Vulnerability. I am really enthusiast in Server Side flaws which results to affect Users. I almost never look for Click-Jacking in my Bug-Hunt (1% of my total Findings) but at rarest case i try to find one and take it to easy and effective Social Engineering. Many companies doesn’t consider it as Threat but it is a actual threat, because no one likes getting their site content getting spoofed by other layered code or by slicing some code over it. I am using WordPress Blog so they don’t currently allow me to do so but i have a new StartUp company of mine where i use the concept effectively which i would publically release also soon. But let’s talk about Click-jacking Protection Now.

So, many of Newbies Hackers are finding click-Jacking by showing Site inside Iframe and getting done with their business. But doesn’t know the actual mitigation and Patch. So first i suggest you to go over this  the Mozilla Developer page about X-Frame-Options

This vulnerability mainly occurs due to weak / no setting of X-Frame-Options Header. Now, you can have three choices for that

  1. DENY : If you set the X-Frame-Options to DENY, then your page wouldn’t be embedded into a Iframe. This is where the patch for the infamous Bug of ClickJacking lies.
  2. SAMEORIGIN : If you set X-Frame-Options to SAMEORIGIN then The page can only be displayed in a frame on the same origin as the page itself, which means the site can only be framed by pages with the same origin as the framed page.
  3. ALLOW-FROM uri : The page can only be displayed in a frame on the specified origin.

Now, having the concept clears of the http Header X-Frame-Options, we can move to the Setup for the Patch.

APACHE SETUP:

To configure Apache to send the X-Frame-Options header for all pages, you need to add this to your site’s configuration, you can add that for WordPress sites too on Apache in you .htaccess:

Header always append X-Frame-Options DENY

NGNIX SETUP:

For NGNIX in the server, you need to add this

add_header x-Frame-Options DENY;

DRUPAL SETUP:

Drupal has a custom way to deal with headers through the use of drupal_add_http_header. So you can add

drupal_add_http_header(‘X-Frame-Options’, ‘DENY’);

IIS SETUP:

To configure IIS to send X-Frame-Options Header, you need to send this (From Mozilla Web Dev)

               <system.webServer>
                          …

                    <httpProtocol>
                    <customHeaders>
                <add name=”X-Frame-Options” value=”DENY” />
                     </customHeaders>
                     </httpProtocol>

                                 …
                    </system.webServer>

PHP SETUP:

Many a Times Web Developers use this to protect some pages like Login Page/ Sign Up Page. Even WordPress Blog do that for their login page. You need to add this line in your PHP Code

header(‘X-Frame-Options: DENY’);

These above demonstration was for DENY similarly, you can add to SAMEORIGIN by your choice. Only you need is to replace it. I hope, now it’s clear. So let’s see how it looks .Screenshot from 2015-11-06 11:34:32

So, i hope you liked it and would now understand it Developers side. Because “Every Hacker is a Developer” . Shoot your queries here !

Reference:

https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

If you want to put this on your blog posts, mention me in Greets 🙂  Thank you !!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s