Announcement

Collapse
No announcement yet.

Clickjacking prevention

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Clickjacking prevention

    Hello,

    Is vBulletin having anything included to prevent clickjacking?

    Thanks!

    Regards,
    Oore

  • #2
    Not sure how someone can do clickjacking with the default settings of a vBulletin 5 Installation. The obvious way to prevent this is to leave the "Can Use HTML" permission set to No for all users.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud customization and demonstration site.
    vBulletin 5 Documentation - Updated every Friday. Report issues here.
    vBulletin 5 API - Full / Mobile
    I am not currently available for vB Messenger Chats.

    Comment


    • #3
      Clickjacking is usually from an external website by rendering another in a frame or an iframe.

      A solution to prevent this is to return the X-Frame-Options or Content-Security-Policy with the 'frame-ancestors' directive HTTP header with the page's response. This prevents the content being rendered from another site when using the frame or iframe HTML tags.

      Is there a section in vBulletin to configure the HTTP header?

      Comment


      • In Omnibus
        In Omnibus commented
        Editing a comment
        The only way anyone could do this is if you allow HTML. As Wayne Luke said the way to prevent this in vBulletin 5 is to disallow HTML, which is a per usergroup setting in the admin control panel. It would be highly unusual for any forum to allow any member to post HTML, including iFrames. In fact, the entire purpose of BBCode is to allow users to do certain things without using HTML.

    • #4
      HTML isn't allowed for users. I'm not concerned my users are doing clickjacking.

      I'm concerned my forum will be rendered in frames/iframes on third party websites for clickjacking. How to prevent this from happening and protect my users?

      Comment


      • #5
        Originally posted by Oore View Post
        HTML isn't allowed for users. I'm not concerned my users are doing clickjacking.

        I'm concerned my forum will be rendered in frames/iframes on third party websites for clickjacking. How to prevent this from happening and protect my users?
        You have to write your own Content-Security-Policy. There can't be a "one-policy-fits-all" CSP. There are a number of good resources for how to do this. Here's one:

        https://hacks.mozilla.org/2016/02/im...curity-policy/

        You can add any meta tags to the headinclude template.

        Comment


        • #6
          Clickjacking is a technique where a malicious website owner overlays a "link" to their site on the content of another website. This could be to gain things similar to likes on Social Media, Retweets, Pinterest Pins, etc... It could also be used to redirect users to their site. So the simplest way to prevent Clickjacking from other sites leading to your own is to not do that.

          Can a user create an elaborate clicking jacking routine so they get more likes on your site? Sure. My question would be why? What benefit will they get out of it. They can't get anymore access to your information or user data than they can if they just register. They can't use it to gain cookie information since your site would be in a hidden iframe. They can't use it to get password information, again your site is in a hidden iframe. Even if they somehow included Javascript in the hidden iframe of your site, they can't ask for this information. We don't allow Javascript to use our cookies. The user's browser secures that. It is still your site. It would be as if the user visited directly in their browser.

          If you don't allow users to post HTML, they can't clickjack your members or try to set up a Phishing Scheme.
          Last edited by Wayne Luke; Tue 22nd Jan '19, 8:33am.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud customization and demonstration site.
          vBulletin 5 Documentation - Updated every Friday. Report issues here.
          vBulletin 5 API - Full / Mobile
          I am not currently available for vB Messenger Chats.

          Comment


          • #7
            You can add X-FRAME-OPTIONS at the server level via htaccess.

            https://htaccessbook.com/increase-se...urity-headers/


            GIPHY for vB5 AutoLinker Social Icons in Postbit Like Counts on Postbit Clear Cache Cron DragDrop Upload Topic AJAX AutoUpdate Custom Avatars Selector Stop Links in Posts ...and more!

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...
            X