Revision as of 01:44, 2 December 2012

1 Clickjacking Defense Introduction
2 Defending with X-FRAME-OPTIONS response headers
3 Defending legacy browsers
4 References

Clickjacking Defense Introduction

This cheat sheet is focused on providing developer guidance on Clickjack/UI Redress attack prevention. For more information on the risk of Clickjacking, please visit this page.

The most popular way to defend against clickjacking is to include some sort of "frame-breaking" functionality which prevents other web pages from framing the site you wish to defend. This cheat sheet will discuss two methods of implementing frame-braking; via X-FRAME-OPTIONS headers (if the browser or browsers in question support it) and via javascript "frame-breaking" code.

Defending with X-FRAME-OPTIONS response headers

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

X-FRAME-OPTION Header Types

There are three types of X-FRAME-OPTIONS headers.

The first is X-FRAME-OPTIONS DENY, which prevents any domain from framing the content.
The second option is X-FRAME-OPTIONS SAMEORIGIN, which only allows the current site to frame the content.
The third, is the X-FRAME-OPTIONS ALLOW-FROM 'sitename' header, which permits the specified 'sitename' to frame this page. (e.g., ALLOW-FROM http://www.foo.com) The ALLOW-FROM option is a relatively recent addition (circa 2012) and may not be supported by all browsers yet.

Browser Support

The following browsers support X-FRAME-OPTIONS headers.

Browser	Lowest version
Internet Explorer	8.0
Firefox (Gecko)	3.6.9 (1.9.2.9)
Opera	10.50
Safari	4.0
Chrome	4.1.249.1042

Reference: https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header

Implementation

To implement this protection, you need to add the header to any page that you want to protect from being clickjacked. One way to do this is to add the header manually to every page. A possibly simpler way is to implement a filter that automatically adds the header to every page.

Defending legacy browsers

The following methodology will prevent a webpage from being framed even in legacy browsers.

In the document HEAD element, add the following:

First apply an ID to the style element itself:

<style id="antiClickjack">body{display:none !important;}</style>

And then delete that style by its ID immediately after in the script:

<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>

This way, everything can be in the document HEAD and you only need one method/taglib in your API.

References

Main OWASP https://www.owasp.org/index.php/Clickjacking page.
OWASP has an article and some code that provides all the details for implementing this in the Java EE environment.
The SDL blog has posted an article covering how to implement this in a .NET environment.
In 2009, Microsoft implemented a header based defense in IE8 that allows developers to specify that pages should not be framed.
Legacy browser Clickjacking defense from August Detlefsen and Jason Li: https://www.codemagi.com/blog/post/194.

OWASP Cheat Sheets Project Homepage

OWASP Cheat Sheet Series

V - T - E Cheat Sheets
Developer / Builder	3rd Party Javascript Management Access Control AJAX Security Cheat Sheet Authentication (ES) Bean Validation Cheat Sheet Choosing and Using Security Questions Clickjacking Defense Credential Stuffing Prevention Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cryptographic Storage C-Based Toolchain Hardening CSS Security Deserialization DOM based XSS Prevention Forgot Password HTML5 Security HTTP Strict Transport Security Injection Prevention Cheat Sheet Injection Prevention Cheat Sheet in Java JSON Web Token (JWT) Cheat Sheet for Java Input Validation Insecure Direct Object Reference Prevention JAAS Key Management LDAP Injection Prevention Logging Mass Assignment Cheat Sheet .NET Security OS Command Injection Defense Cheat Sheet OWASP Top Ten Password Storage Pinning Query Parameterization REST Security Ruby on Rails Session Management SAML Security SQL Injection Prevention Transaction Authorization Transport Layer Protection TLS Cipher String Configuration Unvalidated Redirects and Forwards User Privacy Protection Web Service Security XSS (Cross Site Scripting) Prevention XML External Entity (XXE) Prevention Cheat Sheet
Assessment / Breaker	Attack Surface Analysis REST Assessment Web Application Security Testing XML Security Cheat Sheet XSS Filter Evasion
Mobile	Android Testing IOS Developer Mobile Jailbreaking
OpSec / Defender	Virtual Patching Vulnerability Disclosure
Draft and Beta	Application Security Architecture Business Logic Security Content Security Policy Denial of Service Cheat Sheet Grails Secure Code Review IOS Application Security Testing PHP Security Regular Expression Security Cheatsheet Secure Coding Secure SDLC Threat Modeling
All Pages In This Category

@@ Line 7: / Line 7: @@
 = Defending with X-FRAME-OPTIONS response headers =
-The X-FRAME-OPTIONS header is used to mark responses that should not be framed.
+The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a &lt;frame&gt; or &lt;iframe&gt;. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
 === X-FRAME-OPTION  Header Types  ===

Difference between revisions of "Clickjacking Defense Cheat Sheet"

Revision as of 01:44, 2 December 2012

Clickjacking Defense Introduction

Defending with X-FRAME-OPTIONS response headers

X-FRAME-OPTION Header Types

Browser Support

Implementation

Defending legacy browsers

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools