Vulnerability Description:
Click hijacking (ClickJacking) is a visual deception. An attacker using a transparent iframe, overlaid on a page, and then convince the user to operate on the page, then the user would click on a page in an iframe transparent knowledge. By adjusting the position of the iframe page, you can entice users to just click on some functional buttons iframe page.
HTTP response X-Frame-Options header information, may indicate whether the browser should load an iframe page. If the server response header information is not X-Frame-Options, the site exists ClickJacking risk of attack. Site can thus prevent clickjacking blocking page to be embedded in other pages within the site by setting the X-Frame-Options.
Solution:
modify web server configuration, adding X-Frame-Options response header. There are three assignments:
. 1, DENY: can not be embedded in any frame or iframe.
2, SAMEORIGIN: page site page can be embedded in an iframe or frame
3, ALLOW-FROM uri: only the specified domain name is embedded in the frame
apache http.conf may be configured as follows:
<IfModule headers_module>
Header Always the append-the X-Frame-Options "DENY"
</ IfModule>
1
2
3
For example, if we use phpstudy built environment, we can Other Options menu -> php extensions and settings -> Apache module, check headers_module module, then a blank line in the Apache configuration file httpd.conf added Header always append X-Frame-Options SAMEORIGIN can!
Before adding:
After the addition:
Test site has set X-Frame-Options
the following code in an iframe links into the site to be measured, saved as .html files opened locally. If the test shows the site page that opens, then is not set, and vice versa set up.
<!DOCTYPE html>
<html>
<head lang="en">
<meta charset="UTF-8" >
<title>点击劫持测试</title>
</head>
<body>
<iframe src="http://www.xxx.com/" width="500" height="500" frameborder="10"> </iframe>
</body>
</html>
