2

I have a question about Clickjacking.

The question is quite simple. Imagine a login flow like this:

  1. You visit the application login page, eg https://example.com/login.html. There is no Clickjacking protection (i.e. the X-Frame-Options header) on this page.
  2. This page redirects you to the SSO page to actually login, e.g. https://sso.service.com and the actual credentials are entered here. Clickjacking protection is enabled here.
  3. After logging in you are redirected back to the site, https://example.com/home.html. There is no clickjacking protection anywhere on the site.

My question is: if I have protection on the login/SSO page alone and don't have protection in any other page of the application, is my application still vulnerable to Clickjacking?

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
Bhuvanesh Kumar
  • 21
  • 3

1 Answers1

2

The answer is simple and straight-forward:

Having clickjacking protection only on the login page only protects the login page. The rest of your site is still vulnerable

It sounds like you have a bit of a misunderstanding, and are hoping that because the login page is clickjacking-protected, someone can't use clickjacking to attack your site. Unfortunately that is not the case. Clickjacking (typically) relies upon using the credentials of an already-logged in user. As a result, there is no need to target the login page with clickjacking. Rather, you target any other page that has a sensitive action.

In fact, the login page is probably low on the list of pages that need clickjacking protection. The reason is because you can't use clickjacking to enter a password, nor would an attacker know the user's password to log them in even if it was possible. It might be possible to use clickjacking on a login page to login a user if the browser stores the password and suggests it automatically, and then follow that up with a clickjacking attack on another action on the site, therefore building up an exploit from multiple clickjacking attacks. In general though, using clickjacking against a login page is probably not an interesting target in-and-of itself.

As a result, you pretty much have things backward: if you had everything but your login page protected from clickjacking, you'd probably be fine. If you only have your login page protected from clickjacking, then your clickjacking protection is useless.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • Thanks Connor for the explanation. Now I have one more doubt.. Basically Clickjacking targets for sensitive information on post login. In real time scenario when you perform Clickjacking it will send as a forged request, but I have a protection for csrf. How Clickjacking gets exploited? – Bhuvanesh Kumar Sep 12 '19 at 02:32