Home » Malware Analysis » Clickjacking and Frame breakout

Clickjacking and Frame breakout

I have had a few clients ask about their sites being framed to load on other sites without their permission and if their is anything they can do about it. Attackers sometimes do this in “Phishing” attempts. Visitors think they are going to the legitimate site, when in all reality it’s a copy that is being framed by someone with malicious intent.  There are several options available to prevent such framing of sites. The X-Frame-Options HTTP response header can be used to determine if a browser should be allowed to render a site or page in the <frame> or <iframe> tags.

There are three options for the X-Frame-Options headers:

  • DENY, which  will prevent ALL domains from framing the content.
  • SAMEORIGIN, only allows the current domain to frame the content.
  • ALLOW-FROM uri, which only allows a specified ‘uri’ to frame this page. (e.g., ALLOW-FROM http://www.mysite.com) . This is a newer option and may not be supported by all browsers. This option should probably be avoided because you may or may not have any defense against clickjacking and framing.

Below are some examples on how to configure this:

First – at the highest level, Apache can be configured to prevent this by adding the following by adding it to your server or local config:

Header always append X-Frame-Options SAMEORIGIN

If you are using ngnix you can add the following to the server or local config:

add_header X-Frame-Options

For IIS add the following to the web.config:

<add name="X-Frame-Options" value="SAMEORIGIN" />


If you don’t have access at the server level, you can send the xframe option tag if you place it in between the <head> and </head> tags of your pages:

      <meta http-equiv="X-FRAME-OPTIONS" content="DENY">

      <meta http-equiv="X-FRAME-OPTIONS" content="SAMEORIGN">

Another option is to use JavaScript, but remember, if a user has JavaScript disabled, this option won’t work – that’s why it’s at the bottom of the list and the least preferable way to handle it, this will “bust” the page out of the frame (aka breakout). However, this will help in cases where the browser doesn’t support the X-Frame-Options:

<script type="text/javascript">
if (top.location != location) { top.location.href = location.href; }

Below is a list of browsers that currently support the X-Frame-Options:

  • IE8+
  • Opera 10.50+
  • Safari 4+
  • Chrome (Allow-From not yet supported)
  • Firefox 3.6.9 (or earlier with NoScript)


So there you have it, basic clickjacking and frame busting in a nutshell…