|
|
(51 intermediate revisions by 12 users not shown) |
Line 1: |
Line 1: |
− | = Clickjacking Defense Introduction = | + | __NOTOC__ |
| + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | |
− | This cheat sheet is focused on providing developer guidance on Clickjack/UI Redress attack prevention. For more information on the risk of Clickjacking, please visit [https://www.owasp.org/index.php/Clickjacking this page].
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | |
− | The most popular way to defend against clickjacking is to include some sort of "frame-breaking" functionality which prevents other web pages from framing the site you wish to defend. This cheat sheet will discuss two methods of implementing frame-braking; via X-FRAME-OPTIONS headers (if the browser or browsers in question support it) and via javascript "frame-breaking" code.
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html Clickjacking Defense Cheat Sheet] to see the latest version of the cheat sheet. |
− | | |
− | = Defending with X-FRAME-OPTIONS response headers =
| |
− | | |
− | The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
| |
− | | |
− | === X-FRAME-OPTION Header Types ===
| |
− | | |
− | There are three types of X-FRAME-OPTIONS headers.
| |
− | * The first is X-FRAME-OPTIONS <b>DENY</b>, which prevents any domain from framing the content.
| |
− | * The second option is X-FRAME-OPTIONS <b>SAMEORIGIN</b>, which only allows the current site to frame the content.
| |
− | * The third, is the X-FRAME-OPTIONS <b>ALLOW-FROM</b> 'sitename' header, which permits the specified 'sitename' to frame this page. (e.g., ALLOW-FROM http://www.foo.com) The ALLOW-FROM option is a relatively recent addition (circa 2012) and may not be supported by all browsers yet.
| |
− | | |
− | === Browser Support ===
| |
− | | |
− | The following browsers support X-FRAME-OPTIONS headers.
| |
− | | |
− | <table border="1">
| |
− | <tr> <th>Browser</th> <th>Lowest version</th></tr>
| |
− | <tr> <td>Internet Explorer</td> <td>8.0</td></tr>
| |
− | <tr> <td>Firefox (Gecko)</td> <td>3.6.9 (1.9.2.9)</td></tr>
| |
− | <tr> <td>Opera</td> <td>10.50</td> </tr> <tr> <td>Safari</td> <td>4.0</td></tr>
| |
− | <tr> <td>Chrome</td> <td>4.1.249.1042</td> </tr>
| |
− | </table>
| |
− | | |
− | Reference: [https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header]
| |
− | | |
− | === Implementation ===
| |
− | | |
− | To implement this protection, you need to add the header to any page that you want to protect from being clickjacked. One way to do this is to add the header manually to every page. A possibly simpler way is to implement a filter that automatically adds the header to every page.
| |
− | | |
− | = Defending legacy browsers =
| |
− | | |
− | The following methodology will prevent a webpage from being framed even in legacy browsers.
| |
− | | |
− | In the document HEAD element, add the following:
| |
− | | |
− | First apply an ID to the style element itself:
| |
− | | |
− | <style id="antiClickjack">body{display:none !important;}</style>
| |
− | | |
− | And then delete that style by its ID immediately after in the script:
| |
− | | |
− | <script type="text/javascript">
| |
− | if (self === top) {
| |
− | var antiClickjack = document.getElementById("antiClickjack");
| |
− | antiClickjack.parentNode.removeChild(antiClickjack);
| |
− | } else {
| |
− | top.location = self.location;
| |
− | }
| |
− | </script>
| |
− | | |
− | This way, everything can be in the document HEAD and you only need one method/taglib in your API.
| |
− | | |
− | Reference: [https://www.codemagi.com/blog/post/194 https://www.codemagi.com/blog/post/194]
| |
− | | |
− | = References =
| |
− | | |
− | * Main OWASP [https://www.owasp.org/index.php/Clickjacking https://www.owasp.org/index.php/Clickjacking] page.
| |
− | * OWASP has an [[ClickjackFilter for Java EE|article and some code]] that provides all the details for implementing this in the Java EE environment.
| |
− | * The SDL blog has posted an [http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx article] covering how to implement this in a .NET environment.
| |
− | * In 2009, Microsoft implemented a [http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx header based defense] in IE8 that allows developers to specify that pages should not be framed.
| |
− | * Legacy browser Clickjacking defense from August Detlefsen and Jason Li: [https://www.codemagi.com/blog/post/194 https://www.codemagi.com/blog/post/194].
| |
− | | |
− | {{Cheatsheet_Navigation}}
| |
− | | |
− | [[Category:Cheatsheets]]
| |