Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Any other way to protect against Clickjacking besides IPS signatures & X-frame-options ; freeware to test URL for clickjackg

Posted on 2014-11-14
4
256 Views
Last Modified: 2014-11-18
I came across a few servers which I did not deploy IPS (both network & endpoint IPS) clickjackg
signatures & x-frame-options are not coded in the webservers too.

However, security consultant scanned & claims that the URL / websites are not-vulnerable.


Q1:
Is there any other means, say from apps level or some other codings that could mitigate
against clickjacking to the extent that security scanner reports it as non-vulnerable
0
Comment
Question by:sunhux
  • 2
  • 2
4 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40444097
if you catch this and embed the code you can test if the page is vul to clickjack as you have allowed the webpage to be framed from another domain (not under you) https://www.codemagi.com/blog/post/196
OWASP has a cheatsheet for defending against clickjack which include per page level bu tin short it stated
There are two main ways to prevent clickjacking:
Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
Employing defensive code in the UI to ensure that the current frame is the most top level window
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Implementation
0
 

Author Comment

by:sunhux
ID: 40444381
Read thru the OWASP url, still rather clueless.

Q2:
So can it be summarized that if there's no IPS (network or endpoint) in
place, X-frame-options is bound to be found somewhere (at the page
level or at the web server's config file) for those non-vulnerable sites?

Q3:
If it's at page level, at which page usually will people code it?  At
index.html?

Q4:
Any chance that for a redirected page ie from a web server, it was
redirected to another server or a DMS (DDoS Mitigation Service)
could have explained for such sites that are non-vulnerable to
Clickjacking (as reported by the scanner)

Q5:
As the same scanner is used, presumably it can't be the scanner's
fault, reporting certain sites correctly while reporting incorrectly
some other sites
0
 

Author Comment

by:sunhux
ID: 40444384
Or where at which page & location can I locate the following codes?
(I'll do a grep/find of  'anticlickjack')

<style id="antiClickjack">body{display:none !important;}</style>
And then delete that style by its ID immediately after in the script:

<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 40444412
q2. yes, X-frame option is http header, it has to come for the web services per se (of course I am assuming there is no false inject along the path as any device can attempt to add in such header like proxy type..)

q3. on critical page that need to assure it is what is clicked by user. See MS best practices
1.Send the content as an HTTP Header – the directive is ignored if specified in a META tag
2.Use X-Frame-Options on critical configuration pages or other pages that require an “authentic user click”
3.Don’t use “sameorigin” if you have any page on your domain which accepts an arbitrary URL to frame
q4. Browsers should not apply X-Frame-Options restrictions for HTTP redirects (status codes 301, 302, etc) and if you check the RFC7034 , it stated the HTTP response is to allow a web page from host B to declare that its content (for example, a button, links, text, etc.) must not be displayed in a frame ( or ) of another page (e.g., from host A).

q5. I believe it has nothing to do with scanner if it simulate the true browser and respect the response if the option header is returned...but it should be the same thinking as q4

as for where to best place the anti-clickjack JS, it is inside the each page to verify that there are no transparent layers and esp with those pages that has "clickable" button. See the Visa example implementation
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question