Input Validation / Clickjacking (UI Redressing)

Description

Clickjacking (UI Redressing) is a type of attack that occurs when an attacker uses multiple transparent or opaque layers to deceive a user into clicking on a button or link on another page when they were expecting to click on the top level page. This attack can be used to perform any action the user can do on the attacked page. This attack is categorized as an input validation vulnerability in the Common Weakness Enumeration (CWE) directory. The OWASP Testing Guide provides a detailed guide to testing for and mitigating clickjacking.

Risk

Clickjacking can be used to perform unauthorized actions, such as deleting data, transferring funds, or changing settings. The risk of this vulnerability is very high, and it can be used to compromise the confidentiality, integrity, and availability of data.

Solution

To protect against clickjacking, it is important to ensure that all user input is validated, that all web pages are framed properly, and that the X-Frame-Options HTTP header is set to deny any attempts to frame the page from another domain. Additionally, a Content Security Policy can be used to prevent clickjacking by disallowing the use of iframes, frames, and other related tags.

Example

The following code shows an example of how to set the X-Frame-Options header to deny in a web application using the Python Flask framework:

@app.after_request
def set_x_frame_options_deny(response):
    response.headers['X-Frame-Options'] = 'DENY'
    return response