Hello,
I am writing a post after a long time, because a company who stands within Alexa Rank 100 asked me how to patch site from Click- Jacking Vulnerability. I am really enthusiast in Server Side flaws which results to affect Users. I almost never look for Click-Jacking in my Bug-Hunt (1% of my total Findings) but at rarest case i try to find one and take it to easy and effective Social Engineering. Many companies doesn’t consider it as Threat but it is a actual threat, because no one likes getting their site content getting spoofed by other layered code or by slicing some code over it. I am using WordPress Blog so they don’t currently allow me to do so but i have a new StartUp company of mine where i use the concept effectively which i would publically release also soon. But let’s talk about Click-jacking Protection Now.
So, many of Newbies Hackers are finding click-Jacking by showing Site inside Iframe and getting done with their business. But doesn’t know the actual mitigation and Patch. So first i suggest you to go over this the Mozilla Developer page about X-Frame-Options
This vulnerability mainly occurs due to weak / no setting of X-Frame-Options Header. Now, you can have three choices for that
- DENY : If you set the X-Frame-Options to DENY, then your page wouldn’t be embedded into a Iframe. This is where the patch for the infamous Bug of ClickJacking lies.
- SAMEORIGIN : If you set X-Frame-Options to SAMEORIGIN then The page can only be displayed in a frame on the same origin as the page itself, which means the site can only be framed by pages with the same origin as the framed page.
- ALLOW-FROM uri : The page can only be displayed in a frame on the specified origin.
Now, having the concept clears of the http Header X-Frame-Options, we can move to the Setup for the Patch.
PACHE SETUP:
To configure Apache to send the X-Frame-Options header for all pages, you need to add this to your site’s configuration, you can add that for WordPress sites too on Apache in you .htaccess:
Header always append X-Frame-Options DENY
NGNIX SETUP:
For NGNIX in the server, you need to add thisadd_header x-Frame-Options DENY;
DRUPAL SETUP:
Drupal has a custom way to deal with headers through the use of drupal_add_http_header. So you can adddrupal_add_http_header(‘X-Frame-Options’, ‘DENY’);
IIS SETUP:
To configure IIS to send X-Frame-Options Header, you need to send this (From Mozilla Web Dev)
<system.webServer>
…
…
<httpProtocol>
<customHeaders>
<add name=”X-Frame-Options” value=”DENY” />
</customHeaders>
</httpProtocol>
<customHeaders>
<add name=”X-Frame-Options” value=”DENY” />
</customHeaders>
</httpProtocol>
…
</system.webServer>
PHP SETUP:
Many a Times Web Developers use this to protect some pages like Login Page/ Sign Up Page. Even WordPress Blog do that for their login page. You need to add this line in your PHP Codeheader(‘X-Frame-Options: DENY’);
These above demonstration was for DENY similarly, you can add to SAMEORIGIN by your choice. Only you need is to replace it. I hope, now it’s clear. So let’s see how it looks .
So, i hope you liked it and would now understand it Developers side. Because “Every Hacker is a Developer” . Shoot your queries here !
Reference:
No comments:
Post a Comment