Can frames hack the website?

Suppose you get a link looking like your facebook login and you go and fill in your information. But, wait did you checked the url?

Security at risk

This is how easily you have been hacked. Wasn’t this really simple, you didn’t even got to know and someone has your credentials. I know, I know, everyone knows that don’t login to links you receive from someone. Let me bring this to next level for you. You must have visited some sites where it redirects you to some other page as you permit it(or it can get the permit itself). As you do this, you’re becoming the part of another attack called clickjacking.

How were the attackers able to do this?
The idea is really simple, the <iframe> tag. Here’s how clickjacking was done with facebook:
1. A visitor comes on a page that has victim’s site.
2. The page has a sweet link like “you won”, “get rich now”, “click here”
3. In attempt to clicking on the link, the user clicks button and the attacker got the hold of the user.
Now, don’t try this with facebook. It has been fixed of course. It wasn’t only this but twitter, paypal and many more were hacked this way.

Now, the question comes how do you save your website from attacks like this? For this you first need to know is your website the victim of this.
Try out this demo:

<title>Trusted web page</title>

<style type=”text/css”>
body {
border: 1px solid #336699;
#content {
width: 500px;
height: 500px;
margin-top: 150px ;
margin-left: 500px;
position: absolute;
left: 172px;
top: 60px;
filter: alpha(opacity=0);


<iframe id=”clickjacking” src=”your wesbite url" width=”1000" height=”500" scrolling=”no” frameborder=”none”>

and save it with .html . On opening this in browser, if your website opens. It is vulnerable to framing attacks. Don’t worry! with a problem comes a solution.
To stop this, all you have to do is to add Content-Security-Policyin your headers file.

Header set Content-Security-Policy "frame-ancestors 'self' domain1 domain2;

domain1 and domain2 are the domains where you want to allow your website to be used in <iframe>, otherwise you can add none. Doing this, if someone trys to frame your website to their website, your website won’t work.

Please note the above provided information is to help you to make your application secure and not use it in an illegal manner.




Error 302:

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Hot Air Finance Airdrop Update

TryHackMe — Gotta Catch ’Em All!

Future Technologies and Cyber Risk

Quantum Versus Quantum

My intro to the Cyber/IT Scene

Photo by SevenStorm JUHASZIMRUS from Pexels

TrapMonkie — IP Rights & Ownership

Chocolate Factory | THM

Advanced Key Management Security for Keyless Entry Vehicles

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Error 302:

More from Medium

My Own Website Hacking Guide (Passive Reconnaissance)

Google Dorking Simple

HTB [Secret]

pwnSpoof — Generates realistic spoofed log files for common web servers with customisable attack…