Skip to main content

X-Frame-Options a countermeasure for Click-Jacking.

Introduction:

What is Click-Jacking?


Click-jacking, also known as a "UI redress attack", It is a malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on.

 What is an Impact?

An attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of style sheets, I-frames, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

How can we Mitigate?


We can mitigate the Click-Jacking with the help of X-Frame-Options in HTTP response header.


The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Frame sniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.
 

What is X-Frame-Options?

X-Frame-Options is a mitigation technique for click jacking attacks. It is an HTTP response header sent by the server to indicate under what circumstances page contents should be displayed in a frame context. A browser that understands the header will not display the contents of a page if the header directive is violated (for instance, if evil-example.com puts good-site.com in an I-frame but good-site.com sends a header that says X-Frame-Options: DENY. Thus, no click jacking can occur because no UI elements can be displayed to a victim.

What are the types of X-Frame-Options Header?

There are three possible values for the X-Frame-Options headers:
           DENY, which prevents any domain from framing the content.

           SAMEORIGIN, which only allows the current site to frame the content.

           ALLOW-FROM Uri, which permits the specified 'Uri' to frame this page. As explained below. The ALLOW-FROM option is a relatively recent addition (circa 2012) and may not be supported by all browsers yet. BE CAREFUL ABOUT DEPENDING ON ALLOW-FROM. If you apply it and the browser does not support it, then you will have NO click jacking defense in place.

 Configuring the X-Frame-Options in IIS

To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
  1. Open Internet Information Services (IIS) Manager.
  2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
  3. Double-click the HTTP Response Headers icon in the feature list in the middle.
  4. In the Actions pane on the right side, click Add.
  5. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
  6. Click OK to save your changes.

 
 



Comments

Post a Comment

Popular posts from this blog

Drozer Commands - A Security & Attack Framework for Android

What is Drozer? Drozer is a Security & Attack Framework for Android Application Testing. Drozer is a tool that can be used for Mobile device review , Secure development of applications, BYOD approval and Mobile application testing. There are 2 Versions of Drozer an Open Source and other one Pro version having following features Gathering the information about the application Find the attack surface Test your Exposure to Public Exploits Execute dynamic code on a device, to avoid the need to compile and install small test scripts. Start Android emulators, provisioned with the drozer Agent and the app you want to investigate. Simulate sensor input, such as GPS, to emulators to test the full attack surface. View the attack surface as a graph. this will be helpful for the risk assessment reporting. Drozer is having agent & server architecture so to start with assessment we have to install the agent in the emulator or connected device. Command to install the Dr
6 comments
Read more

Android Damn Vulnerable App by Security Compass

Tutorial of Android Damn Vulnerable App by Security Compass Introduction: Hi folks, today I am gonna show you some hands on or tutorial of the android app testing which I done during my R&D of android app security testing. Here I will show you from scratch setting up of Lab Server to testing of application. In this you will learn on below topics: 1)Insecure Connection (Traffic over HTTP) 2)Server Side Authorization Issue 3)Insecure File Storage 4)Insecure Logging 5)Encryption of data on device 6)Memory Protection Setting-up of lab (App & Server) First of all you have to download the base app which is damn vulnerable from here . After downloading zip and extracting it you have to build it in .apk format using Eclipse IDE. Now you have to install the app in the emulator before that you have to make sure that you installed SDK and its packages. To install the app you have to start emulator using AVD and clicking on "Start" or by command line emul
25 comments
Read more

OWASP IoT (Internet of Things) Top 10 - A Walkthrough

OWASP IoT (Internet of Things) Top 10 - 2014 Introductions: In Todays world things of everyday are becoming smart, every hour hundreds and thousands of smart devices are being added to the Internet whether it is a Toaster, Camera, Refrigerator, T.Vs, Cars etc. So it can be a target of attackers easily, here comes OWASP IoT Top 10 to address this issue. OWASP IoT Top 10 is designed to make the everyday devices secure on same lines of guidelines by OWASP TOP 10 for applications. The OWASP Internet of Things Top 10 - 2014 is as follows: I1 – Insecure Web Interface I2 – Insufficient Authentication/Authorization I3 – Insecure Network Services I4 – Lack of Transport Encryption I5 – Privacy Concerns I6 – Insecure Cloud Interface I7 – Insecure Mobile Interface I8 – Insufficient Security Configurability I9 – Insecure Software/Firmware I10 – Poor Physical Security  How to test for OWASP IoT Top 10   I1 – Insecure Web Interface: Everyday devices have web ser
Post a Comment
Read more