Fixing Clickjacking (UI Redress Attack)
Vulnerability assessment details, CWE reference metrics, and complete code-level patches.
Threat Profile
Vulnerability Analysis
Clickjacking involves placing a transparent iframe overlay of a target website onto a malicious page. The attacker tricks the user into clicking a visible link, but they are actually clicking elements on the hidden iframe.
How it is Detected
Identified by checking if a domain's response lacks X-Frame-Options or Content-Security-Policy 'frame-ancestors' parameters.
Remediation Guidelines
Configure the 'X-Frame-Options: SAMEORIGIN' header or deploy the Content-Security-Policy 'frame-ancestors 'self'' directive to prevent unauthorized framing.
Remediation Script (HTTP Headers)
# SECURE REMEDIATION: Prevent iframe nesting
Content-Security-Policy: frame-ancestors 'self';
X-Frame-Options: SAMEORIGINFrequently Asked Questions
What is the difference between X-Frame-Options and frame-ancestors?
X-Frame-Options is a legacy header. The Content-Security-Policy 'frame-ancestors' directive is the modern standard, offering more control.
Can Clickjacking bypass MFA?
If the target session is framed, attackers can trick users into confirming requests or toggling profile configurations.
Is framing always bad?
No, but it must be explicitly restricted to whitelisted hostnames using frame-ancestors.
Related Vulnerability Profiles
SQL Injection (SQLi)
Attackers execute arbitrary SQL commands, bypassing authentication and manipulating database schemas.
Stored Cross-Site Scripting (Stored XSS)
Malicious scripts are stored on the server (e.g. database) and executed when users request the compromised resource.
Reflected Cross-Site Scripting (Reflected XSS)
Malicious scripts are reflected off the web server (e.g. search queries) and executed immediately in the user's browser.
DOM-based Cross-Site Scripting (DOM XSS)
Vulnerability where the client-side JavaScript processes inputs in an unsafe way (e.g. using eval or innerHTML).