Wednesday 19 November 2014

Click Jacking

                                                                     

Click Jacking

This attack also known as "UI redress attack", is when an attacker uses multiple transpar layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Impacts of Click Jacking
  • Naive Users can be tricked in performing actions such as such as orders, change settings,   adding/deleting/modifying data withouttheir knowledge
  • Frequenty attack  used on social network websites like Facebook and twitter, Because this attack is used by convinced victim for click on the link and SocialNetwork website might be very useful for attack on victim
Prevention of Click Jacking
There are two main ways to prevent clickjacking:
1:Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
2:Employing defensive code in the UI to ensure that the current frame is the most top level window
X Frame Options (Add the Xframe options in all parts of applications) Code Snippet( Xframe Options in Http Headers)
In Java
 // to prevent all framing of this content
 response.addHeader( "X-FRAME-OPTIONS", "DENY" );
 // to allow framing of this content only by this site
 response.addHeader( "X-FRAME-OPTIONS", "SAMEORIGIN" );

In Php
<?php
header("X-Frame-Options: SAMEORIGIN");
?>

In .Net

In Application_BeginRequest method of global.asax file
void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("x-frame-options",

"DENY");
}

2:Frame Busting Code

Works in all cases

<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById

("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>


Simple Test to Check for ClickJacking for Application

<HTML>
<BODY>
<H1>Clickjacking Test</H1>
<IFRAME SRC="Url of Target website" HEIGHT="700"

WIDTH="700"></IFRAME>
</BODY>
</HTML>

at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Prevention Techniques: Cross-site request forgery (CSRF)

1. The best defense against CSRF attacks is unpredictable tokens, a piece of data that the server can use to validate the request, and wh...