Secure .Net Core applications from Click Jacking: .Net Core security Part III

You can find my all .Net core posts here.

In these series of posts, we will see how to secure your .Net Core applications.

In this post, we will see how to secure your .Net Core application from the ClickJacking attack.

What is ClickJacking?

• Clickjacking, also known as a “UI redress attack“, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page.
• Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.(Resource – https://www.owasp.org/index.php/Clickjacking)

For example:

• A malicious website invites the user to click a button by showing some ad like if the button will be clicked then the user gets a lottery of 100 rupees or Dollars.
• The user does not know that the malicious site might have put a Transfer Money button just behind the submit button in such a way that user can not see the transfer button
• The user’s authentication details would be with the hackers already if the browser of the user is still authenticated with his\her bank account
• Additionally, The Malicious site can pull the details of the user’s bank account by showing the bank’s site in a frame
• When the user clicks on lottery button, the amount will be deducted from the user’s account to the hacker’s account

How to prevent this?

We need to prevent our site to open in a frame or we can allow our site to be opened in a frame only for same domain or any specific domain.

We can prevent this by adding some extra headers which are:

• X-FRAME-OPTIONS : DENY

This prevents the browser to show this page in an IFrame

• X-FRAME-OPTIONS : SAMEORIGIN

This allows frame in own domain

• X-FRAME-OPTIONS : ALLOW-FROM https://mysite.com

This allows frame in any specific domain

How to prevent this in .Net Core

In .Net Core, we can add these headers in the Configure method of Startup.cs class as below:

app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Frame-Options", "DENY"); // This
context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN"); // Or this
await next();
});

Or you can use NWebSec Nuget package which allows you to do this in the middleware.

First, install the NWebSec Nuget package:

And then add below line in the Configure method of Startup.cs class:

app.UseXfo(0 => o.Deny());

Important Notes –

• If you are using the AntiForgery token in your application then this token by default sets X-Frame-Option with value SAMEORIGIN to prevent the site from ClickJacking
• So if you are using AntiForgey along with the options I mentioned above then it may create some problems because along with our changes for ClickJacking, AntiForgeryToken also tries to set the headers
• If you want to disable setting headers for frames in AntiForgeyToken then simply add below line:

services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);

This will disable that header in Antiforgery and we can handle the ClickJacking by our own. (Ref – https://github.com/aspnet/Mvc/issues/3958)

Hope it helps.