Clickjacking Attacks

As part of the Cyber Security training I am doing, a deliverable is to write a web application that prevents clickjacking attacks.

What is clickjacking?

Clickjacking refers to any attack where the user is tricked into clicking, allowing for malicious content to be executed. Clickjacking can often occur on web pages that make use of iframes. Ultimately, it is the art of tricking the user and exploiting their trust.

Two techniques you can use to prevent clicktracking

Http headers

One method is to make use of HTTP headers as recommended by OWASP, who suggest we should hide the entire body of the HTML document and only show it after verifying that the page is not framed.

X-Frame-Options

The X-Frame-Options header specifies if a page can be embedded in a , , <embed> or <object> element.

Within the header options, you have a few choices:

  • block all framing
  • sameorigin to allow framing only by pages of the same origin (sensible)
  • allow-from to allow framing by pages from specified URIs – which does not provide cross-browser compatibility.

Further information: https://support.office.com/en-us/article/mitigating-framesniffing-with-the-x-frame-options-header-1911411b-b51e-49fd-9441-e8301dcdcd79

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.