How It Works
Before explaining the issue of clickjacking, it’s important to understand how it works. Web developers use CSS and layers building pages with pixel placements. Layers are the building blocks for elements that lie on the Z axis. The X axis is a line that runs from the left side of the screen to the right. The Y axis runs from the top of the screen to the bottom. Now imagine a line that starts at the monitor and expands towards your face. This is the Z axis.
When a developer lays out a page using CSS, layers can be placed at the bottom to the top of the Z axis. For instance, an image placed on the Z axis at 2 would be placed on top of an image placed on the Z axis at 1. Elements placed on lower value properties sit “behind” elements set at higher values. This is how a developer can stack elements on a web page and design a layout using CSS.
The Clickjacking Setup
Another option for the developer is opacity. Opacity sets the way an element fades in or out of the page. Imagine a ghost when it fades in and out from view. Opacity set at lower values will fade out of view. When opacity reaches 0, it’s invisible to the user. The element is still accessible. Should a user click an element with an opacity set to 0, a click event still occurs even though the user can’t see it. This is the foundation for clickjacking — tricking users into clicking an invisible element.
Now, imagine placing an iframe on a page with opacity set to 0 and a button placed underneath. Since the iframe’s opacity is set to 0, the user cannot see the content placed over its elements. Should a user click a hidden element within the iframe, the event is passed to the iframe content. This might not seem terribly effective, but the right clickjacking event can cause several issues for the reader.
Using clickjacking, an attacker was able to distribute malware using Twitter in 2009 (http://shiflett.org/blog/2009/twitter-dont-click-exploit). The Twitter retweet button was hidden over another button that said, “Don’t click me.” The attacker tricked users into clicking the visible button, which really retweeted the URL to a malicious web page. In 2008, Adobe was forced to update its popular Flash software when an attacker used clickjacking to trick users into providing permissions to a computer’s camera and microphone.
Protecting Your Web Pages
Hijacking user clicks allows an attacker to perform numerous attacks on a user that lands on a web page with hidden elements, but the key issue with these attacks is the iframe. The iframe contains the hidden content, which can be used maliciously. Website owners can disallow their content in an iframe using the X-Frame-Options HTTP response header. This header should be used as a cyber security effort to protect your users.
With custom server headers, you can set the response from your hosting application such as IIS or Apache. Any pages that change user security settings or perform instant actions from a button should always have X-Frame-Options configured.
X-Frame-Options has three options, so you can still allow content in an iframe if you need it. The three options are:
- This option disallows the page from loading in an iframe regardless of the domain. If you never want the content in an iframe, this is the option you should set.
- This option tells the browser that it can load content in an iframe if the iframe’s domain is the same as the outer page. Use this option if you need to place content in an iframe on your own site.
X-Frame-Options: allow-from https://sampledomain.com
- Allow the “sampledomain.com” site to frame your content in an iframe. Use this option if you have a third-party domain that uses your site in an iframe.
How to Configure X-Frame-Options for IIS
- Navigate to the web.config file (usually at %systemroot%\system32\inetsrv\config)
<add name="X-Frame-Options" value="SAMEORIGIN" />
How to Configure X-Frame-Options for Apache
- Navigate to /etc/apache2/httpd. conf OR /etc/apache2/apache2
Header set X-Frame-Options "DENY"
Alternatively, the Content-Security-Policy response header has a frame-ancestors flag which can work in place of this header for supporting browsers.
Organizations choose a Pen Testing company based on who has the best marketing material and smoothest salespeople. Obviously they do not realize they are doing it! Most of my career has been spent working at various web application penetration testing companies. So that is the focus of this rant.
After conducting web and mobile application penetration tests for years and billing for my insight, it seemed high time to give a bit advice for free. Other Pen Testing companies are going to hate me for giving you this information, unless they are actually a solid firm.
First of all, and this may be obvious, salespeople are NOT your friends. Legitimate companies automatically promote their own over the years and the managers / most senior pen testers end up doing sales. If there is not an SME on the call…. Hang up.
Before signing anything ask questions and try to trip them up! Come armed with questions and see the depth of their knowledge! Remember, they are likely bringing their best to impress you.
Basic Web App Assessment Questions
- There has been a lot of talk about SSI (server-side include) injection we are wondering how you check for these issues and if you see them very often, how serious are they?
- XXE (XML External Entity) is another area of concern for our developers. Could you tell us a bit more about this potential threat and maybe describe how such a vulnerability could impact our web application?
Web application penetration testing companies use the OWASP (Open Web Application Security Project) checklist. And we all check for the same issues over and over for every web app assessment. Therefore, any senior web application penetration tester will be able to answer basic questions such as these with little to no hesitation. However, if like many pop-up Pen Testing companies they are noobs and cannot answer basic questions….run! Legit web app pen testers will provide your company with more value than their slicked back haircut will.
Web App Testing Certifications
Certifications are great for penetration testers getting into the industry and to some extent show an individual is at least halfway competent, depending on the web app Pen Testing certificate. Though to be honest, most of the best pen testers have no degree or certifications. Think back to high-school and the “passion” many people had. Those were the days. Haha.
GWAPT (GIAC Web Application Penetration Tester)
This certification is as of writing still the most well-known web application Pen Testing certification. Those of us that have been doing app testing for very long have either taken course and the test or unofficially done so via coworkers. This is very basic material; ANYONE can pass this course. Does not mean much. Just that their company was willing to spend a few grand.
OSWE (Offensive Security Web Expert)
An individual with this cert is probably a legitimate web application penetration tester. However, this mostly means the Pen Testing company they work for was more willingly to pay for the course than an individual without it. As stated previously most of the HIGHLY skilled testers have no certifications because they were not needed (or in some cases around) when we started. Why spend thousands of dollars on certifications if we do not need to?
University / College Degree
Meh, this means very little and may even be a negative (joking). Brace yourself here comes a very controversial thought… if they cannot hack the system how can you expect them to hack the planet? Again, somewhat joking, but honestly my colleagues teach and write the college curriculum. Have you ever hired someone fresh out of college? You know what I mean.
Whatever pen testing company you hire, you are giving total control and access to everything. Think about that. If your application is important enough to conduct a web application assessment, then you certainly want to make sure you are not hiring criminals posing as a security firm. For example, here in America computer crimes are not tolerated and ethical hackers make too good of a living pen testing web applications to risk incarceration. Risk vs reward.
When vetting web app PenTesting companies.
- Ask questions
- If they act like a politician and avoid answering the question, they do not know the answer. Run!
- Helpful, but these are just to help pen testers to get their foot in the door when starting out. Sufficiently senior pen testers often do not have them.
- Four-year degree equivalent to six (6) months of experience?
- Offensive security might have made me a bit paranoid. But personally I’d never hire a pen testing company that couldn’t be arrested if they turned out to be criminals.