Prestashop Security

How to Prevent Clickjacking in PrestaShop?

Published on: May 29, 2020

How to Prevent Clickjacking in PrestaShop?

Article Summary

Prestashop versions up to 1.7.2.5 are vulnerable to the clickjacking attack. Thousands of PrestaShop users are vulnerable to clickjacking and are unaware of the risk. Read this article to know how you can prevent clickjacking in Prestashop.

Clickjacking defines the act of ‘hijacking’ website clicks. This attack is carried out by tricking the web user to click a button or picture which they didn’t intend to click. This can result in unwanted downloads, visits to malicious webpages, a revelation of confidential information, and many more.

Attackers hide links on invisible pages or HTML elements inside an iframe and put it on the top of the visible page. This makes the users feel that they are clicking on a legitimate link on the visible page. However, they are actually clicking on an invisible element transposed on the page. So, this form of the attack is also called UI redressing.

How Clickjacking Occurs in Prestashop?

Prestashop versions up to 1.7.2.5 are vulnerable to the Clickjacking attack. Prestashop framework was not preventing malicious UI-redressing or Clickjacking attacks by default. Thousands of PrestaShop users were vulnerable to Clickjacking. Some are still unaware of the risk.

Before we discuss ways to prevent Clickjacking in Prestashop, here’s an image that rightly depicts Clickjacking on a website:

clickjacking in Prestashop
How clickjacking occurs? (Source: Imperva)

Clickjacking attacks are subtle and hard-to-detect. Prevention is easier than cure. In this article, we discuss the different ways with which you can prevent Clickjacking in PrestaShop and save your customers from fraudsters.

How to Prevent Clickjacking in PrestaShop?

There are two methods of prevention of Clickjacking in Prestashop- browser-side preventive measures and server-side prevention.

Browser-Side Preventive Measures

Clickjacking is a browser-side behavior. So, the preventive measures depend upon browser functionality and conformity to prevailing web standards. A common browser-side method to prevent Clickjacking in Prestashop is to use frame busting or frame-breaking scripts.

1. Frame busting

A framebuster is a piece of JavaScript code that prevents a web page from being rendered within a frame. The frame buster code performs the following actions:

  • It checks if the current window is the top window or not.
  • Makes all the frames visible.
  • It prevents users from clicking on invisible frames.

According to the OWASP community, the most reliable framebuster is:

<head>
<style> body { display : none;} </style>
</head>
<body>
<script>
if (self == top) {
 var theBody = document.getElementsByTagName('body')[0];
 theBody.style.display = "block";
} else {
 top.location = self.location;
}
</script>

However, this method of protection against Clickjacking can be easily bypassed by the attacker. Hence, it’s a, rather, weak prevention method.

2. One-time URLa

A simple way to prevent Clickjacking in Prestashop is by using one-time URLs. A hacker needs only 2 things to plan a Clickjacking attack- your target URL and click area. One-time URLs for important pages will make it difficult to execute a Clickjacking attack. This is done by including a one-time code to your URLs.

Server-side Prevention

Server-side protection against Clickjacking is provided by defining and communicating constraints over the use of components such as iframes.

1. Xframes

Xframes was developed as a response header against clickjacking. It essentially provides the website owner more control over the use of objects such as frames, iframes, and more.

Xframes provides the following options:

  • DENY: Denying permission to put the webpage into the frame
  • SAMEORIGIN (default): Permission only to pages from the same origin as the webpage.
  • ALLOW-FROM *url*: Display permission to webpages from specified sources.

Xframes in itself is not enough to prevent clickjacking in Prestashop because this feature is not consistently implemented in all browsers. However, it does provide considerable insurance against an attack if implemented properly in conjunction with Content Security Policy.

2. Content Security Policy

Content Security Policy(CSP) was developed to effectively mitigate attacks like XSS and Clickjacking attacks. The CSP gives the browser information about permitted web sources and thereby allowing proper detection and mitigation of malicious content. Content Security Policy can be added to the HTTP header using my CSP config generator and included in a server configuration file of your webserver.

Conclusion

There is no 100% efficient way to prevent clickjacking in Prestashop. Having an active multi-layer security strategy in place gives the best chance against cyberattacks. Thus, security engineers at Astra have developed an all-round security plan for Prestashop websites. The plan includes a rock-solid firewall, malware scanning, GDPR compliance, vulnerability assessment, and more.

Astra security
Astra Security

Along with these, 24X7 human support is also provided to solve all security woes. To know more, get in touch with the experts today!

Don’t take our words for it. See it for yourself!

Peek inside Astra

Was this post helpful?

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include firewall, malware scanner and security audits to protect your site from the
evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany