Shawndouglas: Added further reading

2016-08-10T22:35:00Z

Added further reading

← Older revision		Revision as of 22:35, 10 August 2016
Line 4:		Line 4:

	===To prevent this type of attack===		===To prevent this type of attack===
	* Prevent (i)framing of your application in current browsers by including the HTTP response header “<tt>X-Frame-Options: deny</tt>”		* Prevent (i)framing of your application in current browsers by including the HTTP response header “<tt>X-Frame-Options: deny</tt>”.
	* Prevent (i)framing in outdated browsers by including a JavaScript frame breaker which checks for (i)framing and refuses to show the page if it is detected		* Prevent (i)framing in outdated browsers by including a JavaScript frame breaker which checks for (i)framing and refuses to show the page if it is detected.
	* For applications with high security requirements where you expect users to use outdated browsers with JavaScript disabled, consider requiring users of older browsers to enable JavaScript		* For applications with high security requirements where you expect users to use outdated browsers with JavaScript disabled, consider requiring users of older browsers to enable JavaScript.

	===Rationale===		===Rationale===
	The X-Frame-Options header is required as JavaScript frame breakers could be ineffective in some newer browsers that allow undetectable framing. However, older, still common browsers ignore the header and thus require additional protection using classic JavaScript based frame breakers. Since (as opposed to the header method) those do not work if JavaScript is disabled, additional measures may be necessary.		The X-Frame-Options header is required as JavaScript frame breakers could be ineffective in some newer browsers that allow undetectable framing. However, older, still common browsers ignore the header and thus require additional protection using classic JavaScript based frame breakers. Since (as opposed to the header method) those do not work if JavaScript is disabled, additional measures may be necessary.

			==Further reading==
			* [[wikipedia:Clickjacking\|Clickjacking]]

	==Notes==		==Notes==
	The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Clickjacking the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.		The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Clickjacking the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.

Shawndouglas: Created as needed.

2016-08-10T21:07:22Z

Created as needed.

New page

{{TOC right}}
==Clickjacking==
In clickjacking attacks, the target site is embedded in an IFRAME on the attacking site and either kept in the background, but mostly covered by other elements or made transparent and kept in the foreground. The user is then incited to click a certain location (e.g. when using the transparency method by placing a button in the background). Instead of the visible button, the click hits the invisible window. The placement of the IFRAME and button is chosen so that the click triggers the action wanted by the attacker (e.g. change settings). As the user is logged into the target site, the click can trigger actions that would otherwise be unreachable for the attacker. Multiple Facebook spam waves were generated using this method.

===To prevent this type of attack===
* Prevent (i)framing of your application in current browsers by including the HTTP response header “<tt>X-Frame-Options: deny</tt>”
* Prevent (i)framing in outdated browsers by including a JavaScript frame breaker which checks for (i)framing and refuses to show the page if it is detected
* For applications with high security requirements where you expect users to use outdated browsers with JavaScript disabled, consider requiring users of older browsers to enable JavaScript

===Rationale===
The X-Frame-Options header is required as JavaScript frame breakers could be ineffective in some newer browsers that allow undetectable framing. However, older, still common browsers ignore the header and thus require additional protection using classic JavaScript based frame breakers. Since (as opposed to the header method) those do not work if JavaScript is disabled, additional measures may be necessary.

==Notes==
The original source for this page is [https://en.wikibooks.org/wiki/Web_Application_Security_Guide/Clickjacking the associated Wikibooks article] and is shared here under the [https://creativecommons.org/licenses/by-sa/3.0/ CC BY-SA 3.0] license.

LII:Web Application Security Guide/Clickjacking - Revision history

Shawndouglas: Added further reading

Shawndouglas: Created as needed.