保護DataHogo
Security Encyclopedia/Frontend & Browser
mediumCWE-1021A05:2021

Advanced Clickjacking

Absence of both X-Frame-Options and CSP frame-ancestors headers, combined with no client-side frame-busting logic, leaving the app fully embeddable in malicious iframes.

How It Works

Clickjacking overlays your invisible app on top of an attacker's fake interface. Advanced versions chain multiple clicks (multi-step clickjacking) to complete multi-factor operations like enabling OAuth apps, deleting data, or sending money. Without frame-ancestors CSP and X-Frame-Options, the browser has no way to refuse embedding.

Vulnerable Code
// BAD: no framing protection at all
// next.config.ts with no headers
// No X-Frame-Options, no CSP frame-ancestors
// Client also has no frame detection
Secure Code
// GOOD: headers + client-side defense-in-depth
// next.config.ts
const headers = [
  { key: 'X-Frame-Options', value: 'DENY' },
  { key: 'Content-Security-Policy', value: "frame-ancestors 'none'" }
];
// Optional JS defense (belt and suspenders)
if (window.top !== window.self) window.top!.location = window.location.href;

Real-World Example

Twitter had a clickjacking vulnerability (2009) that allowed attackers to make users follow accounts or post tweets without knowing. The attack page showed a game with invisible Twitter buttons underneath clickable game elements.

How to Prevent It

  • Set both X-Frame-Options: DENY and CSP frame-ancestors 'none' headers
  • Add JavaScript frame-busting as a secondary defense only (headers are the real protection)
  • Pay special attention to settings, payment, and permission-granting pages
  • Test by trying to embed your site in an iframe — it should refuse

Affected Technologies

Next.jsnodejsjavascript

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

DOM-Based XSS

high

Malicious scripts executed by reading attacker-controlled data from the URL or browser APIs and writing it to the DOM using dangerous sinks like innerHTML or document.write.

CWE-79A03:2021

Stored XSS

high

User-supplied content saved to the database without sanitization and rendered in the browser as HTML, allowing persistent script injection that executes for every user who views the content.

CWE-79A03:2021

PostMessage Without Origin Verification

medium

window.addEventListener('message') handlers that process messages without checking the event.origin, allowing any website to send commands to your app's message handler.

CWE-346A01:2021

Iframe Without Sandbox Attribute

medium

Third-party or user-generated content loaded in an iframe without the sandbox attribute, allowing that content to run scripts, access parent cookies, and navigate the top-level frame.

CWE-693A05:2021