The Security Issue:
Our managed hosting service (https://bnshosting.net) see clients victimized by clickjacking attacks. Sucuri.net defines Clickjacking, also known as “UI redress,” as a type of attack that tricks users into clicking on a button or link on a webpage that they did not intend to click.
Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they are clicking the visible page but in fact they are clicking an invisible element in the additional page transposed on top of it.
The invisible page could be a malicious page, or a legitimate page the user did not intend to visit — for example, a page on the user’s banking site that authorizes the transfer of money. — (Source: https://www.imperva.com/learn/application-security/clickjacking/)
In the example cited by Imperva, the clickjacking diverts you to a fake login page that looks exactly like the banking website. Once you enter your credentials in the fake website, hackers capture and use the stolen credentials to withdraw your money from your account.
Some Options to defeat Malicious ClickJacking
Sucurri (https://blog.sucuri.net/2022/09/what-is-clickjacking-and-how-do-i-prevent-it.html ) identifies some steps to defeat clickjacking. One of the most effective ways to prevent clickjacking is to use the “X-Frame-Options” HTTP response header.
The X-Frame-Options header controls whether or not a website can be embedded in a frame or iframe. By setting the header to “SAMEORIGIN,” a website can only be embedded in a frame or iframe on the same domain. This means that an attacker cannot embed the website in a malicious webpage and trick users into clicking on it.
Other X-Frame-options outlined by OWASP.org include : (https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html): DENY which prevents any domain from framing the content and ALLOW-From-URI which permits the specified ‘URI” to frame the page.
In addition to setting the X-Frame-Options header, it is also important to validate the origin of any incoming requests. This can be done by checking the “Origin” and “Referer” headers in the request to ensure that they match the expected origin.
Another option for preventing clickjacking is to use a Content Security Policy (CSP) header. CSP allows you to specify which sources of content are allowed to be loaded on your website. This can include scripts, images, and iframes. This makes it harder for an attacker to inject malicious content into your website.
It’s important to note that while the X-Frame-Options header and CSP are both effective at preventing clickjacking, they should not be used as a substitute for other security measures such as input validation, authentication, and access controls. These measures should always be used in conjunction with each other to provide the best possible protection against clickjacking and other web-based attacks.
How to enable X-Frame-Options
A web developer can specify the X-Frame-Options header and set it to “SAMEORIGIN” in the HTTP response of a webpage. The exact location and method for setting the header will depend on the web development framework and server-side programming language being used.
For Apache web server, the X-Frame-Options header can be set using the mod_headers module. A developer would add the following line to the server’s configuration file (usually located at /etc/httpd/conf/httpd.conf):
In the case of NGINX, the X-Frame-Options header can be set in the server block of the configuration file (usually located at /etc/nginx/nginx.conf). A developer would add the following line to the server block:
For server-side programming languages such as PHP, the X-Frame-Options header can be set by adding the following line of code to the PHP script:
In case of using a framework such as Express.js in Node.js, you can set the X-Frame-Options header like this:
In summary, the use of X-Frame-Options header is a vital step in preventing clickjacking attacks and protecting your website from malicious actors. It is important to always validate the origin of incoming request and use CSP header in addition to X-Frame-Options for better security.
As usual, I’d like to hear your thoughts on the subject and share your experiences on this.