Preventing Clickjacking Attacks in ColdFusion

What is Clickjacking Attack?
As per OWASP,
Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Lets see an example:

  1. A visitor is lured to evil page. No matter how, may be by clicking on an email.
  2. This page will contain a link called “Get FREE IPOD” with z-index set to -1;
  3. This page also contains a transparent iframe from the victim domain, say facebook.com and positions the facebook like button right over the link.So now the facebook like button is not visible , but the “Get FREE IPOD” link is visible. Now if the user will clickon this link unknowingly he is clicking of the facebook like button.

Here is an example:

<html>
    <head>
        <script>
          window.fbAsyncInit = function() {
            FB.init({
              appId      : '754831697896892',
              xfbml      : true,
              version    : 'v2.1'
            });
          };
    
          (function(d, s, id){
             var js, fjs = d.getElementsByTagName(s)[0];
             if (d.getElementById(id)) {return;}
             js = d.createElement(s); js.id = id;
             js.src = "//connect.facebook.net/en_US/sdk.js";
             fjs.parentNode.insertBefore(js, fjs);
           }(document, 'script', 'facebook-jssdk'));
        </script>
        <style>
            iframe { /* iframe from facebook.com */
              width:140px;
              height:100px;
              margin-top: 100px;
              margin-left: 50px;
              position:absolute;
              top:0; left:0;
              filter:alpha(opacity=50); 
              opacity:0.5;   //Here we have set the opacity to 0.5 so its partly visible, we can make it 0 to hide the iframe
            }
            .a{
                margin-top: 95px;
            }
        </style>
    </head>
    <body>
        <div class="a">
            <a  href="http://www.google.com" target="_blank" style="position:relative;left:20px;z-index:-1">Get Free IPOD!</a>
        </div>
        //www.facebook.com/plugins/like.php?href=https%3A%2F%2Fwww.facebook.com%2FTimesnow&width&layout=button&action=like&show_faces=false&share=false&height=35&appId=754831697896892
    </body>
</html>

JS fiddle: http://jsfiddle.net/5e5kvxk4/4/

Facebook Like button,twitter Follow button already attacked this way multiple times before.http://nakedsecurity.sophos.com/2011/03/30/facebook-adds-speed-bump-to-slow-down-likejackers/.

Q. Does my site is vulnerable clickjacking attacks?

If  there is an action on your site that can be done with a single click – it may be clickjacked.

Defense:

The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame. But there are some cases where the page is intended to be open inside an iframe for example facebook Like and twitter Follow buttons. So they suffer from clickjacking attacks. So to prevent this kind of attacks facebook and twitter opens a popup asking for confirmation when user clicks on the iframe.

Frame Busting:

This is the technique which prevents a site from loading inside an iframe. This technique is very easy to implement also. We just need to add ‘X-Frame-Options’ to our response header. This option is used to indicate the browser weather or not to allow a page render inside <iframe>,<frame>,<object>.

There are three possible values for X-Frame-Options:
DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the specified origin.

We can configure at web server level to send X-Frame-Options header for all pages of our site.

IIS

<system.webServer>
  ...
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
  ...
</system.webServer>

Apache

Header always append X-Frame-Options SAMEORIGIN

Configuring Coldfusion server for preventing Clickjacking attacks:

  1. Open the file Web.xml located inside server-root/WEB-INF.
  2. Now we can add filter mappings for our application with one of the two filters already specified.
    CFClickJackFilterSameOrigin or CFClickJackFilterDeny.
  3. Now let’s say we have an application testsite, which we want to protect against clickjacking by denying a frame for the application. To do so, add the following in the web.xml file.
    <filter-mapping> 
        <filter-name>CFClickJackFilterDeny</filter-name> 
        <url-pattern>/testClick/*</url-pattern>
    </filter-mapping>