Any other way to protect against Clickjacking besides IPS signatures & X-frame-options ; freeware to test URL for clickjackg

I came across a few servers which I did not deploy IPS (both network & endpoint IPS) clickjackg
signatures & x-frame-options are not coded in the webservers too.

However, security consultant scanned & claims that the URL / websites are not-vulnerable.


Q1:
Is there any other means, say from apps level or some other codings that could mitigate
against clickjacking to the extent that security scanner reports it as non-vulnerable
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
if you catch this and embed the code you can test if the page is vul to clickjack as you have allowed the webpage to be framed from another domain (not under you) https://www.codemagi.com/blog/post/196
OWASP has a cheatsheet for defending against clickjack which include per page level bu tin short it stated
There are two main ways to prevent clickjacking:
Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
Employing defensive code in the UI to ensure that the current frame is the most top level window
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Implementation
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Read thru the OWASP url, still rather clueless.

Q2:
So can it be summarized that if there's no IPS (network or endpoint) in
place, X-frame-options is bound to be found somewhere (at the page
level or at the web server's config file) for those non-vulnerable sites?

Q3:
If it's at page level, at which page usually will people code it?  At
index.html?

Q4:
Any chance that for a redirected page ie from a web server, it was
redirected to another server or a DMS (DDoS Mitigation Service)
could have explained for such sites that are non-vulnerable to
Clickjacking (as reported by the scanner)

Q5:
As the same scanner is used, presumably it can't be the scanner's
fault, reporting certain sites correctly while reporting incorrectly
some other sites
0
sunhuxAuthor Commented:
Or where at which page & location can I locate the following codes?
(I'll do a grep/find of  'anticlickjack')

<style id="antiClickjack">body{display:none !important;}</style>
And then delete that style by its ID immediately after in the script:

<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>
0
btanExec ConsultantCommented:
q2. yes, X-frame option is http header, it has to come for the web services per se (of course I am assuming there is no false inject along the path as any device can attempt to add in such header like proxy type..)

q3. on critical page that need to assure it is what is clicked by user. See MS best practices
1.Send the content as an HTTP Header – the directive is ignored if specified in a META tag
2.Use X-Frame-Options on critical configuration pages or other pages that require an “authentic user click”
3.Don’t use “sameorigin” if you have any page on your domain which accepts an arbitrary URL to frame
q4. Browsers should not apply X-Frame-Options restrictions for HTTP redirects (status codes 301, 302, etc) and if you check the RFC7034 , it stated the HTTP response is to allow a web page from host B to declare that its content (for example, a button, links, text, etc.) must not be displayed in a frame ( or ) of another page (e.g., from host A).

q5. I believe it has nothing to do with scanner if it simulate the true browser and respect the response if the option header is returned...but it should be the same thinking as q4

as for where to best place the anti-clickjack JS, it is inside the each page to verify that there are no transparent layers and esp with those pages that has "clickable" button. See the Visa example implementation
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.