Closes issue #1577 #1605
Closes issue #1577 #1605
Conversation
caffeine-rohit
requested review from
kwwall,
mackowski,
jmanico and
szh
as code owners
|
@caffeine-rohit - Please do not combine commits related to different issues and different cheat sheets into a single PR. Please make these 2 commits into separate PRs as the address 2 different issues. Thanks! |
|
|
||
| ## Introduction | ||
|
|
||
| This cheat sheet is intended to provide guidance for developers on how to defend against [Clickjacking](https://owasp.org/www-community/attacks/Clickjacking), also known as UI redress attacks. | ||
| This cheat sheet is intended to provide guidance for developers on how to defend against [Clickjacking](https://owasp.org/www-community/attacks/Clickjacking), also known as UI redress attacks and Double Click Jacking. |
There was a problem hiding this comment.
Should be "Double Clickjacking", not "Double Click Jacking".
Also, let's give credit where credit is due, shall we and link the "Double Clickjackin" to Yibelo's blog post at https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html?m=1.
| <script> | ||
| if (self !== top) { | ||
| top.location = self.location; | ||
| } | ||
| </script> |
There was a problem hiding this comment.
I am not a JavaScript expert by any means, but it's my understanding that this simple script is not even enough to mitigate simple Clickjacking, so why do you think this would be effective against Double Clickjacking?
The currently suggested script is way more complex. That's why I suggested you refer to as part of my reply in OWASP Slack. This is what we currently recommend for simple Clickjacking frame breaking techniques:
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html#best-for-now-legacy-browser-frame-breaking-script
Can you explain why this wouldn't work? (If I had to guess--I've not tested it--I think that it would.) But I don't think the trivial script above is likely to be effective for the same reasons it's been found ineffective for simple Clickjacking attacks.
In fact Yibelo suggests this as framebusting script:
(function(){
if (window.matchMedia && window.matchMedia("(hover: hover)").matches) {
var buttons = document.querySelectorAll('form button, form input[type="submit"]');
buttons.forEach(button => button.disabled = true);
function enableButtons() {
buttons.forEach(button => button.disabled = false);
}
document.addEventListener("mousemove", enableButtons);
document.addEventListener("keydown", e => {
if(e.key === "Tab") enableButtons();
});
}
})();I for one have no idea how this works, but I would tend to put more faith in this than the simple JavaScript you have proposed.
| ### 2. X-Frame-Options Header | ||
|
|
||
| Use the X-Frame-Options HTTP header to restrict iframe embedding: | ||
|
|
||
| X-Frame-Options: DENY | ||
|
|
||
| Alternatively, allow only trusted domains: | ||
|
|
||
| X-Frame-Options: SAMEORIGIN | ||
|
|
||
| #### Limitations: | ||
|
|
||
| Some browsers do not support X-Frame-Options. | ||
|
|
||
| Attackers can still use UI redressing techniques to manipulate users into clicking unintended elements. | ||
|
|
||
| ### 3. Content Security Policy (CSP) Frame-Ancestors | ||
|
|
||
| Use CSP to control which domains can embed your site: | ||
|
|
||
| Content-Security-Policy: frame-ancestors 'self' https://trusted.example.com; | ||
|
|
||
| #### Limitations: | ||
|
|
||
| CSP-based protections only work when enforced properly and do not protect against all forms of Clickjacking. | ||
|
|
||
| Attackers can still use overlays or timing-based click manipulation to deceive users. |
There was a problem hiding this comment.
Did you not read Yibelo's post that I linked to in issue #1577? There Yibelo states (emphasis mine):
DoubleClickjacking is a new variation on this classic theme: instead of relying on a single click, it takes advantage of a double-click sequence. While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header, CSP's frame-ancestors and SameSite: Lax/Strict cookies. This technique seemingly affects almost every website, leading to account takeovers on many major platforms.
It is pointless to mention these as defenses if they are ineffective for Double Clickjacking. In addition, they are already thoroughly discussed in the original simple Clickjacking defense. So, IMO, this adds zero value and it in fact detrimental as it is misleading. Please delete it.
| <button onclick="confirmAction()">Submit</button> | ||
| <script> | ||
| function confirmAction() { | ||
| if (!this.clickedOnce) { | ||
| this.clickedOnce = true; | ||
| alert('Click again to confirm action.'); | ||
| } else { | ||
| // Proceed with the action | ||
| } | ||
| } |
There was a problem hiding this comment.
@jmanico @mackowski @szh - JavaScript is not my forte. In fact, I only learn enough of it to create some very simple PoC exploits, so I am not qualified to review this. If I were, I would have submitted a PR myself.
| Highlighting clicked elements. | ||
|
|
||
| Requiring explicit user confirmation through modal dialogs. | ||
|
|
||
| Disabling buttons for a short time after the first click to prevent rapid unintended actions. | ||
|
|
||
| Implementing progressive disclosure, where critical actions require an additional confirmation step. |
|
|
||
| Double Clickjacking is a sophisticated attack that leverages multiple user interactions to bypass traditional Clickjacking defenses. Implementing a combination of X-Frame-Options, Content-Security-Policy, JavaScript-based frame-busting techniques, UI feedback mechanisms, and real-time user behavior analysis can help mitigate this risk effectively. Organizations should adopt a layered security approach to protect against evolving threats and continuously assess the effectiveness of their Clickjacking defenses. | ||
|
|
||
| ### For a more in-depth understanding of double-click jacking and its implications, you can refer to the following articles: |
There was a problem hiding this comment.
I find it curious that all 3 of these referenced in-depth links start out by giving direct credit to Paulos Yibelo who is the one who first discussed (and presumably discovered) Double Clickjacking, and yet you don't link to Yibelo's blog post, https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html?m=1. That should be the primary reference. I think it's inexcusable to do otherwise.
There was a problem hiding this comment.
I think significant revisions (many of which I've noted) are needed before I can approve this. Please make the requested changes. And let's start by getting commit ID #95ed6819103eca43bcaa0a4b73ebf4502a4c13c0 out of this PR and into a separate one associated with a separate GH issue. Thanks.
|
This PR was closed and opened a new PR #1609, which includes all the requested changes while ensuring a more refined and improved implementation. |
This pull request Closes #1577 . I updated the Clickjacking Cheat Sheet by adding all the necessary information regarding double-click jacking. Please let me know if any further improvements are required, otherwise feel free to merge it as soon as possible.