Solved

Any other way to protect against Clickjacking besides IPS signatures & X-frame-options ; freeware to test URL for clickjackg

Posted on 2014-11-14
4
254 Views
Last Modified: 2014-11-18
I came across a few servers which I did not deploy IPS (both network & endpoint IPS) clickjackg
signatures & x-frame-options are not coded in the webservers too.

However, security consultant scanned & claims that the URL / websites are not-vulnerable.


Q1:
Is there any other means, say from apps level or some other codings that could mitigate
against clickjacking to the extent that security scanner reports it as non-vulnerable
0
Comment
Question by:sunhux
  • 2
  • 2
4 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40444097
if you catch this and embed the code you can test if the page is vul to clickjack as you have allowed the webpage to be framed from another domain (not under you) https://www.codemagi.com/blog/post/196
OWASP has a cheatsheet for defending against clickjack which include per page level bu tin short it stated
There are two main ways to prevent clickjacking:
Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
Employing defensive code in the UI to ensure that the current frame is the most top level window
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Implementation
0
 

Author Comment

by:sunhux
ID: 40444381
Read thru the OWASP url, still rather clueless.

Q2:
So can it be summarized that if there's no IPS (network or endpoint) in
place, X-frame-options is bound to be found somewhere (at the page
level or at the web server's config file) for those non-vulnerable sites?

Q3:
If it's at page level, at which page usually will people code it?  At
index.html?

Q4:
Any chance that for a redirected page ie from a web server, it was
redirected to another server or a DMS (DDoS Mitigation Service)
could have explained for such sites that are non-vulnerable to
Clickjacking (as reported by the scanner)

Q5:
As the same scanner is used, presumably it can't be the scanner's
fault, reporting certain sites correctly while reporting incorrectly
some other sites
0
 

Author Comment

by:sunhux
ID: 40444384
Or where at which page & location can I locate the following codes?
(I'll do a grep/find of  'anticlickjack')

<style id="antiClickjack">body{display:none !important;}</style>
And then delete that style by its ID immediately after in the script:

<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40444412
q2. yes, X-frame option is http header, it has to come for the web services per se (of course I am assuming there is no false inject along the path as any device can attempt to add in such header like proxy type..)

q3. on critical page that need to assure it is what is clicked by user. See MS best practices
1.Send the content as an HTTP Header – the directive is ignored if specified in a META tag
2.Use X-Frame-Options on critical configuration pages or other pages that require an “authentic user click”
3.Don’t use “sameorigin” if you have any page on your domain which accepts an arbitrary URL to frame
q4. Browsers should not apply X-Frame-Options restrictions for HTTP redirects (status codes 301, 302, etc) and if you check the RFC7034 , it stated the HTTP response is to allow a web page from host B to declare that its content (for example, a button, links, text, etc.) must not be displayed in a frame ( or ) of another page (e.g., from host A).

q5. I believe it has nothing to do with scanner if it simulate the true browser and respect the response if the option header is returned...but it should be the same thinking as q4

as for where to best place the anti-clickjack JS, it is inside the each page to verify that there are no transparent layers and esp with those pages that has "clickable" button. See the Visa example implementation
0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now