The ClickJacking is the attack which is less known by the many of new security aspirants in web application security. The attack involves the overlaying of elements with some social engineering skills to exploit. This vulnerability is raised because of the improper configuration X-Frame-Options header, which is responsible for blocking the iframe on the application. In simple words ClickJacking is making the victim to click on the invisible or opaque iframe which has been layered on the web application and using these victims’ clicks for executing the other process in the back end of application.
Most of the applications are vulnerable to the click jacking attack with different severity ranging from high to low. The application which may range in High severity include
- Banking applications
- Payment gateways or
- E-commerce applications and many
Other than these now a day’s all type of application is vulnerable with low severity for ClickJacking.
1. For demonstrating the ClickJacking attack we are using a vulnerable banking application.
- Figure 1 Vulnerable bank application
- For this vulnerable application we are checking the response headers for X-Frame-Options, as it is seen from below figure 2 that X-Frame-Option header is missing so this will lead us to exploit the Clickjacking vulnerability.
Figure 2 Missing X-Frame-Options header
3. To Exploit we are using the code which is below mentioned with a sign up link on the application. This leads us to accessing the application in iframe with signup link on it shown in figure 3.
<body> <div id=”foo”>
<a class=”button” href=”http://127.0.0.1:81/Application1/SignUp.html”>Sign Up</a>
<iframe src=”http://127.0.0.1:81/Application/index.php” width=”1000″ height=”800″></iframe>
Figure 3 Sign Up link on the iframe
Figure 4 iframe with opacity
4. Any one clicking on the Sign up link will be redirected to the attacker hosted signup page, for demonstration purpose used a signup page but in actual it is made to perform actions related to application.
Figure 5 Redirected Sign Up page
5. In this case if the victim failed to identify the site URL where he is submitting credentials it will lead to loosing of confidentiality of the account.
The impact of the vulnerability is always depended on the type of functionality which is affected. If the attacker is able to execute the functions related to application or get some sensitive information form victim by ClickJacking may lead to disclosing of the identity of the victim or it may be useful to perform further attacks.
In the above case the application will be disclosing the credentials or information related to an individual, which is type of identity theft. ClickJacking vulnerability in applications like banking or eCommerce can cause serious damage compared to other application.
Solution or Mitigation
Always use the best practices while developing the application and configuring the server.
- Using X-Frame-Options header will be the best solution for this vulnerability, the header is having the option DENY, SAMEORIGIN, ALLOW-FROM domain.
- The applications are used with the “<meta http-equiv=“X-Frame-Option” Content=“DENY”>” and for php“<?php header(‘X-Frame-Options: DENY’); ?>”to block the accessing of application within iframe, different development environment have code level options to add the X-Frame-Options header and
- Server is configured with enabling the X-Frame-Options, such as
- For Apache “Header always append X-Frame-Options SAMEORIGIN”
- For Nginx “add_header x-frame-options “SAMEORIGIN” always;”
- For IIS server in web.config file
<add name=”X-Frame-Options” value=”SAMEORIGIN” />
For the demonstration of the ClickJacking we have used the Apache server, after proper configuration of the server and application the X-Frame-Options header is added in the response which can be seen in below figure.
Figure 6 Enabled with X-Frame-Option header
Figure 7 Blocking of iframe after proper configuration
Hopefully this will help you to know how ClickJacking vulnerability works and how it is mitigated using the X-Frame-Option header. Using of security headers is encouraged more to build a secure environment for the web application.
Prakash Dhatti, is an information security enthusiast working as information security consultant @ISECURION and interested on application and network security