18 Clickjacking

 

This chapter covers

  • Configuring the X-Frame-Options header
  • Configuring the frame-ancestors CSP directive

This short chapter explores clickjacking and wraps up the book. The term clickjacking is a blend of the words click and hijacking. Clickjacking is initiated by luring the victim to a malicious web page. The victim is then baited into clicking a harmless looking link or button. The click event is hijacked by the attacker and propagated to a different UI control from another site. The victim may think they are about to win an iPhone, but they are actually sending a request to another site they previously logged in to. The state change of this unintentional request is the attacker’s motive.

Suppose Charlie has just finished charlie.mil, a top-secret website for high-ranking military officials. This site serves the web page in listing 18.1, launch-missile.html. As the name indicates, this page enables military officials to launch missiles. Charlie has taken all of the necessary precautions to ensure that only authorized personnel can access and use this form.

Listing 18.1 Charlie’s site uses an ordinary HTML form to launch missiles
<html>
    <body>
        <form method='POST' action='/missile/launch/'>
          {% csrf_token %}
          <button type='submit'>    #1
              Launch missile        #1
          </button>                 #1
        </form>
        ...
    </body>
</html>

18.1 The X-Frame-Options header

18.1.1 Individualized responses

18.2 The Content-Security-Policy header

18.2.1 X-Frame-Options versus CSP

18.3 Keeping up with Mallory

Summary