Clickjacking a.k.a UI Redress Attack is an attack that tricks a user into clicking on an actionable content that is invisible or different from what a user usually sees. This can result in theft of confidential information, redirection to a malicious website, extortion of money, fraudulent purchase online or coerce into downloading malware.
In many cases, the user may not realize that their clicks are doing more than what they intend to do. Just by clicking, they open up their Magento website to a number of vulnerabilities. Clickjacking has affected scores of Magento websites till date. In this blog post, we will explain to you how the Clickjacking attack works & you will also learn how to prevent clickjacking on Magento towards the end of this post
How Clickjacking Affects Magento?
Clickjacking uses the iFrame as an attack vector. It usually wraps a page that a user trusts in an iFrame for deception. Thereafter, there is a rendering of invisible elements on the top of the frame that contains malicious links. Vulnerability-Lab exposes the Clickjacking web vulnerability located in the products/customer/account module in the Magento e-commerce site.
The attacker can inject via Clickjacking remote Magento URLs to perform malicious client-side inject or phish users’ account credentials. For a better understanding, let’s take a deep dive into how exactly Clickjacking attack works:
- The attacker creates a page that attracts users with mouthwatering deals
- The attacker hides the malicious link in the transparent iFrame above the tempting link/button
- Subsequently, the users visit the web page and click on the provided link
- In reality, the users click on the invisible iFrame and the attacker achieves his/her goal
- The user is redirected to another page or website without ever knowing what actually happened in the background
Here’s a sample code:
<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body><style>
iframe { /* iframe from the victim site */
width: 400px;
height: 100px;
position: absolute;
top:0; left:-20px;
opacity: 0;
z-index: 1;
}
</style>
<div>Click to get rich now:</div>
<iframe src="victim site URL"></iframe>
<button>Click here!</button>
</body>
</html>
In this example, the attacker has positioned the iFrame in such a way that the button is just above the malicious link. So, as soon as the attacker clicks on the button, he/she clicks on the link too.
How to Prevent Clickjacking on Magento?
The majority of Clickjacking web vulnerabilities are exploited by framing the target web page in iFrame. Therefore, banning the rendering of iFrames is the ideal prevention method for Clickjacking. Clickjacking attack also takes place due to the lack of best practices and web standards in browser-side behavior. So, client-side defends like Frame Busting is used. However, the attacker can still bypass the client-side protections easily and to avoid that, one should focus on implementing server-side protection to prevent Clickjacking attacks on Magento. The server-side protection includes X-Frame-Options and Content Security Policy headers. These can be included in the HTTP Headers to give browser instruction directly.
Related Guide – Cleaning Magento file infection
1. X-Frame-Options
X-Frame-Options is a header that was created especially to prevent clickjacking. It helps in specifying whether or not the browser should render a page in a <frame>, <iframe> or <object>. You can set any of the following values depending on your requirement:
DENY: The requested page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN: (The default Magento Setting) The page can be displayed in the same origin as the page itself.
ALLOW-FROM *uri*: The page can be displayed from the specified origins.
It should be noted that Magento provides the option to add X-Frame-Options in the HTTP request header. This is possible with requests to your storefront in order to help protect against clickjacking attacks.
X-Frame-Options can be implemented in Magento by setting value for the same in <magento_root>/app/etc/env.php.
The default value is:
'x-frame-options' => 'SAMEORIGIN',
The above-mentioned value can also be changed. For instance, if you want to allow any website to load a page, you can set it to *:
'x-frame-options' => '*',
You can also verify your setting for X-Frame-Options based on whether or not you have implemented it correctly. There are various ways to do this including the use of a web browser inspector and a curl command.
2. Content-Security-Policy
The Content-Security-Policy is a part of the HTTP Security header. Preventing XSS and other injection attacks were the main objectives of developing Content-Security-Policy. In addition, this allows you to whitelist the domains from which the content can be embedded in the page. As a result, it is used to protect against clickjacking attacks. Content-Security-Policy can be added to the HTTP header using my CSP config generator and include it in a server configuration file of your webserver. For Apache, you can add CSP in .htaccess file. The syntax is simple:
Content-Security-Policy: frame-ancestors <source1> <source2> ... <sourceN>;
If you want to allow a display in a frame from the same origin as the page itself, set the value to ‘self’. If you want to disallow the embedding, set the value to ‘none’. Also, we can allow the page to be displayed in a frame on the pages from different origins by specifying their domain.
Conclusion
Clickjacking is a year-old attack which is still used by attackers to exploit the vulnerabilities in the Magento websites. There is a need to understand the various security loopholes in your website in order to take the extra necessary measures to protect your Magento website to prevent Clickjacking on Magento websites. Besides, the Magento official website also offers various defense methods to secure your website.
Attackers are always one step ahead and so, it’s better to have layered security in place. Hence, you should go for a complete security suite that provides you advanced security features such as firewall, malware scanner, malware removal, and more.
Jinson Varghese
