Solved

Any other way to protect against Clickjacking besides IPS signatures & X-frame-options ; freeware to test URL for clickjackg

Posted on 2014-11-14
4
249 Views
Last Modified: 2014-11-18
I came across a few servers which I did not deploy IPS (both network & endpoint IPS) clickjackg
signatures & x-frame-options are not coded in the webservers too.

However, security consultant scanned & claims that the URL / websites are not-vulnerable.


Q1:
Is there any other means, say from apps level or some other codings that could mitigate
against clickjacking to the extent that security scanner reports it as non-vulnerable
0
Comment
Question by:sunhux
  • 2
  • 2
4 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40444097
if you catch this and embed the code you can test if the page is vul to clickjack as you have allowed the webpage to be framed from another domain (not under you) https://www.codemagi.com/blog/post/196
OWASP has a cheatsheet for defending against clickjack which include per page level bu tin short it stated
There are two main ways to prevent clickjacking:
Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
Employing defensive code in the UI to ensure that the current frame is the most top level window
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Implementation
0
 

Author Comment

by:sunhux
ID: 40444381
Read thru the OWASP url, still rather clueless.

Q2:
So can it be summarized that if there's no IPS (network or endpoint) in
place, X-frame-options is bound to be found somewhere (at the page
level or at the web server's config file) for those non-vulnerable sites?

Q3:
If it's at page level, at which page usually will people code it?  At
index.html?

Q4:
Any chance that for a redirected page ie from a web server, it was
redirected to another server or a DMS (DDoS Mitigation Service)
could have explained for such sites that are non-vulnerable to
Clickjacking (as reported by the scanner)

Q5:
As the same scanner is used, presumably it can't be the scanner's
fault, reporting certain sites correctly while reporting incorrectly
some other sites
0
 

Author Comment

by:sunhux
ID: 40444384
Or where at which page & location can I locate the following codes?
(I'll do a grep/find of  'anticlickjack')

<style id="antiClickjack">body{display:none !important;}</style>
And then delete that style by its ID immediately after in the script:

<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 40444412
q2. yes, X-frame option is http header, it has to come for the web services per se (of course I am assuming there is no false inject along the path as any device can attempt to add in such header like proxy type..)

q3. on critical page that need to assure it is what is clicked by user. See MS best practices
1.Send the content as an HTTP Header – the directive is ignored if specified in a META tag
2.Use X-Frame-Options on critical configuration pages or other pages that require an “authentic user click”
3.Don’t use “sameorigin” if you have any page on your domain which accepts an arbitrary URL to frame
q4. Browsers should not apply X-Frame-Options restrictions for HTTP redirects (status codes 301, 302, etc) and if you check the RFC7034 , it stated the HTTP response is to allow a web page from host B to declare that its content (for example, a button, links, text, etc.) must not be displayed in a frame ( or ) of another page (e.g., from host A).

q5. I believe it has nothing to do with scanner if it simulate the true browser and respect the response if the option header is returned...but it should be the same thinking as q4

as for where to best place the anti-clickjack JS, it is inside the each page to verify that there are no transparent layers and esp with those pages that has "clickable" button. See the Visa example implementation
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now