How to Prevent Clickjacking in PrestaShop?

Clickjacking defines the act of ‘hijacking’ website clicks. This attack is carried out by tricking the web user to click a button or picture which they didn’t intend to click. This can result in unwanted downloads, visits to malicious webpages, a revelation of confidential information, and many more.

This Blog Includes show

Attackers hide links on invisible pages or HTML elements inside an iframe and put it on the top of the visible page. This makes the users feel that they are clicking on a legitimate link on the visible page. However, they are actually clicking on an invisible element transposed on the page. So, this form of the attack is also called UI redressing.

How Clickjacking Occurs in Prestashop?

Prestashop versions up to 1.7.2.5 are vulnerable to the Clickjacking attack. Prestashop framework was not preventing malicious UI-redressing or Clickjacking attacks by default. Thousands of PrestaShop users were vulnerable to Clickjacking. Some are still unaware of the risk.

Before we discuss ways to prevent Clickjacking in Prestashop, here’s an image that rightly depicts Clickjacking on a website:

Clickjacking attacks are subtle and hard-to-detect. Prevention is easier than cure. In this article, we discuss the different ways with which you can prevent Clickjacking in PrestaShop and save your customers from fraudsters.

How to Prevent Clickjacking in PrestaShop?

There are two methods of prevention of Clickjacking in Prestashop- browser-side preventive measures and server-side prevention.

Browser-Side Preventive Measures

Clickjacking is a browser-side behavior. So, the preventive measures depend upon browser functionality and conformity to prevailing web standards. A common browser-side method to prevent Clickjacking in Prestashop is to use frame busting or frame-breaking scripts.

1. Frame busting

A framebuster is a piece of JavaScript code that prevents a web page from being rendered within a frame. The frame buster code performs the following actions:

It checks if the current window is the top window or not.
Makes all the frames visible.
It prevents users from clicking on invisible frames.

According to the OWASP community, the most reliable framebuster is:

<head>
<style> body { display : none;} </style>
</head>
<body>
<script>
if (self == top) {
 var theBody = document.getElementsByTagName('body')[0];
 theBody.style.display = "block";
} else {
 top.location = self.location;
}
</script>

However, this method of protection against Clickjacking can be easily bypassed by the attacker. Hence, it’s a, rather, weak prevention method.

2. One-time URLa

A simple way to prevent Clickjacking in Prestashop is by using one-time URLs. A hacker needs only 2 things to plan a Clickjacking attack- your target URL and click area. One-time URLs for important pages will make it difficult to execute a Clickjacking attack. This is done by including a one-time code to your URLs.

Server-side Prevention

Server-side protection against Clickjacking is provided by defining and communicating constraints over the use of components such as iframes.

1. Xframes

Xframes was developed as a response header against clickjacking. It essentially provides the website owner more control over the use of objects such as frames, iframes, and more.

Xframes provides the following options:

DENY: Denying permission to put the webpage into the frame
SAMEORIGIN (default): Permission only to pages from the same origin as the webpage.
ALLOW-FROM *url*: Display permission to webpages from specified sources.

Xframes in itself is not enough to prevent clickjacking in Prestashop because this feature is not consistently implemented in all browsers. However, it does provide considerable insurance against an attack if implemented properly in conjunction with Content Security Policy.

2. Content Security Policy

Content Security Policy(CSP) was developed to effectively mitigate attacks like XSS and Clickjacking attacks. The CSP gives the browser information about permitted web sources and thereby allowing proper detection and mitigation of malicious content. Content Security Policy can be added to the HTTP header using my CSP config generator and included in a server configuration file of your webserver.

Conclusion

There is no 100% efficient way to prevent clickjacking in Prestashop. Having an active multi-layer security strategy in place gives the best chance against cyberattacks. Thus, security engineers at Astra have developed an all-round security plan for Prestashop websites. The plan includes a rock-solid firewall, malware scanning, GDPR compliance, vulnerability assessment, and more.