Clickjacking - pallavitewari21/Secure-Code GitHub Wiki

Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

  • Harvest login credentials, by rendering a fake login box on top of the real one.

  • Trick users into turning on their web-cam or microphone, by rendering invisible elements over the Adobe Flash settings page.

  • Spread worms on social media sites like Twitter and MySpace.

  • Promote online scams by tricking people into clicking on things they otherwise would not.

  • Spread malware by diverting users to malicious download links.

Prevention

You should always use parameterized statements where available, they are your number one protection against SQL injection. Many development teams prefer to use Object Relational Mapping (ORM) frameworks to make the translation of SQL result sets into code objects more seamless. ORM tools often mean developers will rarely have to write SQL statements in their code – and these tools thankfully use parameterized statements under the hood.

The most well-known ORM is probably Ruby on Rails’ Active Record framework. Fetching data from the database using Active Record looks like this:

def current_user(email)

#The 'User' object is an Active Record object, that has find methods

#auto-magically generated by Rails.

User.find_by_email(email)

endEscaping Inputs Sanitizing Inputs

Code Samples

The code samples below illustrate how to implement frame-killing in JavaScript, and how to set the HTTP headers mentioned above in various languages and web frameworks.

Frame Killing

            <style>
              /* Hide page by default */
              html { display : none; }
            </style>

            <script>
              if (self == top) {
                // Everything checks out, show the page.
                document.documentElement.style.display = 'block';
              } else {
                // Break out of the frame.
                top.location = self.location;
              }
            </script>

Python - Django

            response = render_to_response(""template.html"", {}, context_instance=RequestContext(request))
            response['X-Frame-Options'] = 'DENY'
            response['Content-Security-Policy'] = ""frame-ancestors 'none'""
            return response

Ruby - Rails

            response.headers['X-Frame-Options'] = 'DENY'
            response.headers['Content-Security-Policy'] = ""frame-ancestors 'none'""

Java

            public void doGet(HttpServletRequest request, HttpServletResponse response)
            {
              response.addHeader(""X-Frame-Options"", ""DENY"");
              response.addHeader(""Content-Security-Policy"", ""frame-ancestors 'none'"");
            }

C#

            Response.AppendHeader(""X-Frame-Options"", ""DENY"");
            Response.AppendHeader(""Content-Security-Policy"", ""frame-ancestors 'none'"");

Node

            response.setHeader(""X-Frame-Options"", ""DENY"");
            response.setHeader(""Content-Security-Policy"", ""frame-ancestors 'none'"");

PHP

            header(""X-Frame-Options: DENY"");
            header(""Content-Security-Policy: frame-ancestors 'none'"", false);
⚠️ **GitHub.com Fallback** ⚠️