Skip to content

phamtrongthang123/example_clickjacking

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
Content Security Policy (CSP) frame-ancestors directive
Content Security Policy (CSP) frame-ancestors directive
 
 
Defending with X-Frame-Options Response Headers
Defending with X-Frame-Options Response Headers
 
 
attacking
attacking
 
 
framebusting
framebusting
 
 
twitter facebook
twitter facebook
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

Demo clickjacking attacking and defense

Samesite cookies

Cookies with a SameSite attribute of either strict or lax will not be included in requests made to a page within an <iframe>. This means that if the session cookies are marked as SameSite, any Clickjacking attack that requires the victim to be authenticated will not work, as the cookie will not be sent. An article on the Netsparker blog provides further details on which types of requests cookies are sent for with the different SameSite policies.

I couldn't produce an example because it requires authentication or some kind of operation to produce cookies.

X-Frame-Option

I created an example using Express with bonus a false meta example.

CSP

Using Express and helmet could achive the same result as XFO.

Twitter + Facebook

Show that twitter + facebook are also using some methods to prevent clickjacking.

If you want to see how clickjacking attack facebook Like, probably youtube is the way.

Best-for-now Legacy Browser Frame Breaking Script

Using framebusting (frame breaking) to break out iframe of the attack page. Even with work around to attack framebusting, we still prevent attacker use our website through display: none.

Reference

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages