Defending Against Clickjacking Attacks

July 15, 2023
cybersecuritycertification researchcomptia security+clickjackingcontent security policies

Clickjacking, also known as UI redress attack, is a malicious technique used by attackers to trick users into unknowingly interacting with hidden, malicious elements placed on top of legitimate web content. By overlaying transparent or disguised elements, attackers deceive users into unintentionally clicking on the hidden content, allowing them to execute unauthorized actions, such as sharing sensitive information, performing operations on web applications, or initiating downloads, without the user's awareness or consent. 


There are three primary defenses against Clickjacking:

  • Prevent the browser from loading the page within a frame, developers can utilize either the X-Frame-Options or the Content Security Policy (frame-ancestors) HTTP headers.
  • Use SameSite cookie attribute to ensure session cookies are not included when loading the page in a frame.
  • Frame Busting, employing JavaScript code within the page, commonly referred to as a "frame-buster," can be used to attempt the prevention of loading the page within a frame.


Using Content-Security-Policy frame-ancestors to prevent loading in a frame.

The Content-Security-Policy (CSP) frame-ancestors is a directive used to control which origins are allowed to embed a webpage within an iframe or frame. By specifying a list of trusted origins as the value of frame-ancestors, content can be prevented from being embedded on other domains or specific origins. By implementing CSP with frame-ancestors, web applications can ensure that their content is displayed only within specified frames, reducing the risk of unauthorized embedding.

    
Content-Security-Policy: frame-ancestors <source>;
Content-Security-Policy: frame-ancestors <space separated list of sources>;

Using SameSite Cookies to filter Session Data in Frames

The SameSite Cookie attribute prevents Cookies from being sent to frames and embedded content since they’ll only be served from the origin domain. The SameSite attribute can have one of three values.

  • strict - Offers the most protection by preventing the cookie from being sent by the browser to the target site in all cross-site browsing contexts.
  • lax - This setting means that the cookie will be included in cross-origin requests triggered by top-level navigation, which includes regular links and URL redirects. However, the cookie will not be sent along with requests originating from cross-site POST requests or when making requests via iframes or scripts. 
  • none - Setting SameSite to “none” will provide no protection and the browser will send the cookie in all cross-site browsing contexts.


Using Frame Busting Javascript to break out of the Frame

A robust approach to protect against clickjacking involves integrating a "frame-breaker" script into specific pages that must not be framed. This methodology ensures that even in legacy browsers lacking support for the X-Frame-Options header, the webpage remains shielded.

To implement this defense, add the following code snippet to the document's HEAD element:

  
<style id="antiClickjack">
    body { display: none !important; }
</style>

Next, incorporate the script below to delete the added style element using its assigned ID:

  
<script type="text/javascript">
    if (self === top) {
        var antiClickjack = document.getElementById("antiClickjack");
        antiClickjack.parentNode.removeChild(antiClickjack);
    } else {
        top.location = self.location;
    }
</script>

By embedding this technique in the document's HEAD section, you can efficiently safeguard against clickjacking with a single method or taglib in your API. This method ensures that the webpage remains inaccessible within frames, providing a reliable defense against clickjacking attacks even for older browsers lacking advanced security features.

Clickjacking is a deceptive and malicious technique used by attackers to exploit user interactions with hidden elements on legitimate web content. By tricking users into unknowingly clicking on these concealed elements, attackers can carry out unauthorized actions without the user's consent, jeopardizing sensitive information and web application operations. These mitigation techniques can prevent clickjacking attacks in an application.