Clickjacking prevention

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Oore
    Member
    • Oct 2017
    • 62
    • 5.3.x

    Clickjacking prevention

    Hello,

    Is vBulletin having anything included to prevent clickjacking?

    Thanks!

    Regards,
    Oore
  • Wayne Luke
    vBulletin Technical Support Lead
    • Aug 2000
    • 73976

    #2
    Not sure how someone can do clickjacking with the default settings of a vBulletin 5 Installation. The obvious way to prevent this is to leave the "Can Use HTML" permission set to No for all users.
    Translations provided by Google.

    Wayne Luke
    The Rabid Badger - a vBulletin Cloud demonstration site.
    vBulletin 5 API

    Comment

    • Oore
      Member
      • Oct 2017
      • 62
      • 5.3.x

      #3
      Clickjacking is usually from an external website by rendering another in a frame or an iframe.

      A solution to prevent this is to return the X-Frame-Options or Content-Security-Policy with the 'frame-ancestors' directive HTTP header with the page's response. This prevents the content being rendered from another site when using the frame or iframe HTML tags.

      Is there a section in vBulletin to configure the HTTP header?

      Comment


      • In Omnibus
        In Omnibus commented
        Editing a comment
        The only way anyone could do this is if you allow HTML. As Wayne Luke said the way to prevent this in vBulletin 5 is to disallow HTML, which is a per usergroup setting in the admin control panel. It would be highly unusual for any forum to allow any member to post HTML, including iFrames. In fact, the entire purpose of BBCode is to allow users to do certain things without using HTML.
    • Oore
      Member
      • Oct 2017
      • 62
      • 5.3.x

      #4
      HTML isn't allowed for users. I'm not concerned my users are doing clickjacking.

      I'm concerned my forum will be rendered in frames/iframes on third party websites for clickjacking. How to prevent this from happening and protect my users?

      Comment

      • In Omnibus
        Senior Member
        • Apr 2010
        • 2310

        #5
        Originally posted by Oore
        HTML isn't allowed for users. I'm not concerned my users are doing clickjacking.

        I'm concerned my forum will be rendered in frames/iframes on third party websites for clickjacking. How to prevent this from happening and protect my users?
        You have to write your own Content-Security-Policy. There can't be a "one-policy-fits-all" CSP. There are a number of good resources for how to do this. Here's one:

        tt { background-color: #eee; } .witty-rejoinder { background-color: #fae0e7; border: solid 1px #888; margin: .5em 1em 1em 1em; padding: .35em .7em; }The add-ons team recently completed work to enable Content ...


        You can add any meta tags to the headinclude template.

        Comment

        • Wayne Luke
          vBulletin Technical Support Lead
          • Aug 2000
          • 73976

          #6
          Clickjacking is a technique where a malicious website owner overlays a "link" to their site on the content of another website. This could be to gain things similar to likes on Social Media, Retweets, Pinterest Pins, etc... It could also be used to redirect users to their site. So the simplest way to prevent Clickjacking from other sites leading to your own is to not do that.

          Can a user create an elaborate clicking jacking routine so they get more likes on your site? Sure. My question would be why? What benefit will they get out of it. They can't get anymore access to your information or user data than they can if they just register. They can't use it to gain cookie information since your site would be in a hidden iframe. They can't use it to get password information, again your site is in a hidden iframe. Even if they somehow included Javascript in the hidden iframe of your site, they can't ask for this information. We don't allow Javascript to use our cookies. The user's browser secures that. It is still your site. It would be as if the user visited directly in their browser.

          If you don't allow users to post HTML, they can't clickjack your members or try to set up a Phishing Scheme.
          Last edited by Wayne Luke; Tue 22 Jan '19, 8:33am.
          Translations provided by Google.

          Wayne Luke
          The Rabid Badger - a vBulletin Cloud demonstration site.
          vBulletin 5 API

          Comment

          • glennrocksvb
            Former vBulletin Developer
            • Mar 2011
            • 4011
            • 5.7.X

            #7
            You can add X-FRAME-OPTIONS at the server level via htaccess.

            Here are three .htaccess techniques to increase your site's security. These techniques add extra security headers to all of your site's resources....



            Flag Icon Postbit Insert GIPHY Impersonate User BETTER INITIALS AVATAR Better Name Card Quote Selected Text Bookmark Posts Post Footer Translate Stop Links in Posts +MORE!

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...