Main Menu

Daily using/supporting

Get Firefox browser!
Get Thunderbird!
Get Opera browser!
Get The Gimp!
Get Inkscape!
Get LibreOffice!
Get Videolan!
Get Linux!
Get Mandriva!
Get Joomla!
Hacker Emblem

Popular Tags

Archives

Which topics would you like us to cover more?

Latest comments

Latest tweets

about 3 days ago Noscript and fritz.box #dib0 http://t.co/zxHEedNf9Q
about 9 days ago Social engineering from India #dib0 http://t.co/ajjp43WkVS
about 18 days ago @unwoman Got the kickstarter Uncovered Vol. 2 today! Thank you! I love it! http://t.co/x0Tzovtq8u
about 21 days ago A query is running #dib0 http://t.co/cRZ8Dd3nVp
15 Apr 2013 Locally save attachments from Oulook using VBScript #dib0 http://t.co/l6RhWQsvFL
1 Apr 2013 Publishing Outlook calendar for use in Google calendar through http://t.co/sfh5eNxGXM #dib0 http://t.co/IzWNPlaqNA
21 Mar 2013 http://t.co/j3B0kSLGkM Really interesting article. The church of pirates. Gods preferential option for the poor in the broadest sense.
14 Mar 2013 Happy Pi-day! And this is what's wrong with it... funny, but true. http://t.co/A8GIB8fugC
14 Mar 2013 Hey guys @piwik ! Just looking at my site stats. I love the new page overlay feature. Well done! :-)
3 Mar 2013 Really funny! The Burning Hearts Revolution: How Sesame Street is Undermining Biblical Values http://t.co/z8XFk5P4d3
26 Feb 2013 Recursively check and correct mp3 files in Linux #dib0 http://t.co/U3nzOuWzWM
26 Feb 2013 Haha! Met zo'n antwoord een terechte reactie! http://t.co/NYXIb27aP5 via @snippers
20 Feb 2013 Create random password with C#, Java and PHP #dib0 http://t.co/WgF7DtcT
Twitter
Prev Next
Home Architecture, security and coding Preventing clickjacking
Preventing clickjacking
Written by Division by Zero   
Saturday, 13 February 2010 10:41

Maybe you heard about clickjacking, maybe you didn't. In short: it's an attack on a web user by using transparancy on frames. The user thinks she/he click on something, but in fact she/he clicks on something else. The user will never know, because the intended action is also executed (or executed if clicked again, or something like that). Here's the original paper by Robert Hansen and Jeremiah Grossman.

But what to do about it. Well... there isn't very much that you can do to protect your user. It is possible to prevent you web-application to be loaded in a frame by adding a HTTP header. This prevents clickjacking, but the header has to be supported by the browser the user uses. IE8 supports the X-FRAME-OPTIONS HTTP header and Firefox will if the user installs the NoScript extension. The X-FRAME-OPTION has two possible values: DENY (disallow being loaded in a frame) and SAMEORIGIN (only allow being loaded in a frame if the pages are from the same URI).

One way to add the X-FRAME-OPTIONS to your HTTP header is using a HTTP module. Here's an example of this simple module:

public class AntiClickJackingModule : IHttpModule
{
 public void Init(HttpApplication context)
 {
 context.EndRequest += new EventHandler(context_EndRequest);
 }

 private void context_EndRequest(object sender, EventArgs e)
 {
 HttpApplication application = (HttpApplication) sender;
 HttpContext context = application.Context;

 // Add the X-FRAME-OPTION
 context.Response.AddHeader("X-FRAME-OPTIONS", "DENY");
 }

 public void Dispose()
 {
 }
}
Tags:

Related Articles
 

Add comment


Security code
Refresh

Professionals built the Titanic. Amateurs the ark. - Unknown


© 2009 - 2013, Division by Zero

Template based on the empire template by joomlashack 

 Creative Commons License
This work by Division by Zero is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Netherlands License.