Does the clickjacking test safeguards us from attacks?

292    Asked by ananyaPawar in Cyber Security , Asked on Apr 20, 2022

I want to know more about clickjacking. I have been reading an article about clickjacking, where the HTML code to test for clickjacking vulnerability was provided. I tried the same as described in that article, and I got the message “You’ve been clickjacked!” at the top of the page, indicating my web application is vulnerable to this type of attack:


To test whether a site is vulnerable to clickjacking, create an HTML page similar to the following, changing the URL highlighted in RED to point to your target site:

<html>
  <head>
    <title>Clickjack test page</title>
  </head>
  <body>
    
You’ve been clickjacked!

    <iframe sandbox="allow-scripts allow-forms" src="http://localhost:8080" style="width:100%;height:90%"></iframe>
  </body>
</html>
If you see the text “You’ve been clickjacked!” at the top of the page, your site is vulnerable.

How does that prove my website is vulnerable?

Answered by Amit raj

It's not really incorrect, but it only accounts for the clickjacking test defence script that is mentioned on the page. It does not take into account the X-FRAME-OPTIONS header defence.


If you perform that test there are a couple of things that could happen:

  • The clickjack text disappears: This means that there is a javascript defence, and that there either is no header defence or your browser doesn't support it.
  • The clickjack text is still there but nothing is shown in the iframe: This means that there is a header defence, and your browser supports it. You can't tell if the javascript defence is implemented because the iframe page is never loaded.
  • The clickjack text is still there, and the site loaded in the iframe: This means that there is no javascript defence, and that there either is no header defence or your browser doesn't support it.
  • As the second option shows, the page can be properly protected but you still see the clickjack text. To be sure, it's probably best to perform the test with both a modern and older browser without X-FRAME-OPTIONS support.
  • Naturally, both defences should be implemented. The header defence is aimed towards modern browsers, while the javascript defence protects legacy browsers.
  • Check out https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet for more information.



Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com