Solved

Any other way to protect against Clickjacking besides IPS signatures & X-frame-options ; freeware to test URL for clickjackg

Posted on 2014-11-14
4
255 Views
Last Modified: 2014-11-18
I came across a few servers which I did not deploy IPS (both network & endpoint IPS) clickjackg
signatures & x-frame-options are not coded in the webservers too.

However, security consultant scanned & claims that the URL / websites are not-vulnerable.


Q1:
Is there any other means, say from apps level or some other codings that could mitigate
against clickjacking to the extent that security scanner reports it as non-vulnerable
0
Comment
Question by:sunhux
  • 2
  • 2
4 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40444097
if you catch this and embed the code you can test if the page is vul to clickjack as you have allowed the webpage to be framed from another domain (not under you) https://www.codemagi.com/blog/post/196
OWASP has a cheatsheet for defending against clickjack which include per page level bu tin short it stated
There are two main ways to prevent clickjacking:
Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
Employing defensive code in the UI to ensure that the current frame is the most top level window
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Implementation
0
 

Author Comment

by:sunhux
ID: 40444381
Read thru the OWASP url, still rather clueless.

Q2:
So can it be summarized that if there's no IPS (network or endpoint) in
place, X-frame-options is bound to be found somewhere (at the page
level or at the web server's config file) for those non-vulnerable sites?

Q3:
If it's at page level, at which page usually will people code it?  At
index.html?

Q4:
Any chance that for a redirected page ie from a web server, it was
redirected to another server or a DMS (DDoS Mitigation Service)
could have explained for such sites that are non-vulnerable to
Clickjacking (as reported by the scanner)

Q5:
As the same scanner is used, presumably it can't be the scanner's
fault, reporting certain sites correctly while reporting incorrectly
some other sites
0
 

Author Comment

by:sunhux
ID: 40444384
Or where at which page & location can I locate the following codes?
(I'll do a grep/find of  'anticlickjack')

<style id="antiClickjack">body{display:none !important;}</style>
And then delete that style by its ID immediately after in the script:

<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 40444412
q2. yes, X-frame option is http header, it has to come for the web services per se (of course I am assuming there is no false inject along the path as any device can attempt to add in such header like proxy type..)

q3. on critical page that need to assure it is what is clicked by user. See MS best practices
1.Send the content as an HTTP Header – the directive is ignored if specified in a META tag
2.Use X-Frame-Options on critical configuration pages or other pages that require an “authentic user click”
3.Don’t use “sameorigin” if you have any page on your domain which accepts an arbitrary URL to frame
q4. Browsers should not apply X-Frame-Options restrictions for HTTP redirects (status codes 301, 302, etc) and if you check the RFC7034 , it stated the HTTP response is to allow a web page from host B to declare that its content (for example, a button, links, text, etc.) must not be displayed in a frame ( or ) of another page (e.g., from host A).

q5. I believe it has nothing to do with scanner if it simulate the true browser and respect the response if the option header is returned...but it should be the same thinking as q4

as for where to best place the anti-clickjack JS, it is inside the each page to verify that there are no transparent layers and esp with those pages that has "clickable" button. See the Visa example implementation
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Pfsense & Black list. 2 133
Network Router- Access control List 4 62
Intrusion detection 20 75
local DNS vendor. 4 60
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question