Having the following code written in Python
import optparse
import requests
import re
parser = optparse.OptionParser()
parser.add_option('-t', '--target', action="store", dest="hostname", help="Host where you want to check for common files.", default="spam")
parser.add_option('-p', '--port', action="store", dest="port", help="Port number to be used while hitting the host", default="80")
options, args = parser.parse_args()
hostregex = re.compile("^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$")
ipregex = re.compile("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$")
host = options.hostname
port = options.port
if hostregex.match(host):
print "Checking clickjacking on %s:%s" % (host,port)
if (port == 443):
req = requests.get("https://" + host)
else:
req = requests.get("http://" + host + ":" + port)
try:
print "[-] Not vulnerable to ClickJ\nX-Frame-Options response header present, Contains value %s\n" % (req.headers['X-Frame-Options'])
except:
print "[+] Vulnerable to ClickJacking, but check framebusting.\n"
elif ipregex.match(host):
print "Checking clickjacking on %s:%s" % (host,port)
if (port == 443):
req = requests.get("https://" + host)
else:
req = requests.get("http://" + host + ":" + port)
try:
print "[-] Not vulnerable to ClickJ\nX-Frame-Options response header present, Contains value %s\n" % (req.headers['X-Frame-Options'])
except:
print "[+] Vulnerable to ClickJacking, but check framebusting.\n"
else:
print "Please enter valid Hostname / IP Address"
I am testing it using python h1.py -t google.com
Result is nice:
Checking clickjacking on google.com:80
[-] Not vulnerable to ClickJ
X-Frame-Options response header present, Contains value SAMEORIGIN
Using the same command, I’m testing kinnell core
python h1.py -t internal.kinnell.co.uk
And there’s a surprise:
Checking clickjacking on internal.kinnell.co.uk:80
[+] Vulnerable to ClickJacking, but check framebusting.
This needs to be fixed!
In nginx/conf folder add following parameter in nginx.conf under server section:
add_header X-Frame-Options "SAMEORIGIN";
And then restart nginx server.