Apache ClickJacking Attack - How to Fix

Updated on:

What is Apache Clickjacking Attack and How to Fix

Clickjacking is a well-known web application vulnerabilities. For example, it was used as an attack on Twitter.

To defence Clickjacking attack on your Apache  HTTPD web server, you can use X-FRAME-OPTIONS to avoid your website being hacked from Clickjacking.

The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe.

This will prevent site content embedded into other sites.

 

Affected versions

Apache HTTP Server based webServers like IBM HTTP Server

 

Solution

  • Login to Apache or IHS server
  • Take a backup of configuration file
  • Add following line in conf file.
Header always append X-Frame-Options SAMEORIGIN
  • Save the conf.
  • Restart the respective web server to test the application

 

Cheers

More from Middleware Inventory

  • Clickjacking attack - IIS

    Overview                  Clickjacking (UI redress attack) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.   Affected versions IIS 7.x IIS 8.x   Solution  …

  • Sweet 32 Attack - Apache

    Overview Sweet32 affects TLS ciphers, also OpenSSL consider Triple DES cipher is now vulnerable as RC4 cipher . The DES ciphers (and triple-DES) only have a 64-bit block size. This enables an attacker to run JavaScript in a browser and send large amounts of traffic during the same TLS connection, creating…

  • Cross Site Scripting Attack - Apache/IHS

    Overview   Cross Site Scripting (XSS) protection can be bypassed in many browsers. You can apply this protection for a web application if it was disabled by the user. This is used by a majority of giant web companies like Facebook, Twitter, Google, etc. Solution Go to $Web_Server/conf directory Open…

  • Apache Clickjack
    How to Disable the Weak Ciphers – Apache/IHS

    Overview SSL Cipher is an encryption algorithm, which is used as a key between two computers over the Internet. Data encryption is the process of converting plain text into secret ciphered codes. It’s based on your web server SSL Cipher configuration and strong protocol that allows data encryption to take…

  • Disable WebServer Banner Apache/IHS

    Overview Don’t display or send Apache version (Set ServerTokens) By default, the server HTTP response header will contains apache and php version. Something similar to the following. This is harmful, as we don’t want an attacker to know about the specific version number. Apache can reveal information by default configuration,…