Threat of clickjacking

Being a total noob into website security, I received the following email:

The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame> or <iframe>. This is a client-side security issue that affects a variety of browsers and platforms.

Steps to reproduce:

1. Create a new HTML file
2. Put the following code inside the file
<html>
<head>
<title>ClickJacking PoC</title>
</head>
ClickJacking PoC
<iframe src=" https://meeting-reminders.com/login " height="450" width="1000"></iframe>
</body>
</html>
3. Save the file
4. Open the document in the browser

Impact:

The victim surfs the attacker’s web page intending to interact with the visible user interface but is inadvertently performing actions on the hidden page. Using the hidden page, an attacker can deceive users into performing actions they never intended to perform through the positioning of the hidden elements in the web page.

The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame> or <iframe>. This is a client-side security issue that affects a variety of browsers and platforms.

Steps to reproduce:

1. Create a new HTML file
2. Put the following code inside the file
<html>
<head>
<title>ClickJacking PoC</title>
</head>
ClickJacking PoC
<iframe src=" https://meeting-reminders.com/login " height="450" width="1000"></iframe>
</body>
</html>
3. Save the file
4. Open the document in the browser

Impact:

The victim surfs the attacker’s web page intending to interact with the visible user interface but is inadvertently performing actions on the hidden page. Using the hidden page, an attacker can deceive users into performing actions they never intended to perform through the positioning of the hidden elements in the web page.

Is the login page vulnerable to this?

3 Replies

kapa.ai•7mo ago

Hi @Ricardo Batista. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave: ---------------------- Based on the knowledge sources provided, there is no specific information about the implementation of the X-Frame-Options HTTP response header in Wasp or its vulnerability to clickjacking attacks. However, one of the knowledge sources mentions the consideration of using the 'helmet' npm package in the node server, which sets some reasonable default HTTPS response headers. The 'helmet' package includes a middleware function to set the X-Frame-Options header, which can help protect your application against clickjacking attacks. For a more definitive answer, I would recommend checking the Wasp documentation or reaching out to the Wasp community for further assistance. Source (https://github.com/wasp-lang/wasp/issues/22) ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @Ricardo Batista, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?

miho•7mo ago

We'll have to investigate this in details, and we'll write a proper answer here. But, trying out the code they sent, results in Google denying to load. Also, trying to load the /account page in the iframe doesn't work since the localStorage is not shared and thus the session info is not shared. It doesn't seem like a plausible attack vector to me - so no worries - but I'll read more on the issue of clickjacking next week.

Ricardo BatistaOP•7mo ago

thanks a bunch @miho

Gaming

Programming

Threat of clickjacking