Last active
July 25, 2023 21:04
-
-
Save Xnuvers007/3534c418cd49a592e903bf5573550673 to your computer and use it in GitHub Desktop.
Script to check website vulnerability to clickjacking attacks. Uses Flask for web interaction, requests_html & BeautifulSoup for parsing, and provides protection recommendations..
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from requests_html import HTMLSession | |
| from bs4 import BeautifulSoup | |
| website = input("Enter the website to check for clickjacking vulnerability: ") | |
| url = 'https://clickjacker.io/test?url={website}'.format(website=website) | |
| session = HTMLSession() | |
| response = session.get(url) | |
| response.html.render(sleep=3, timeout=20) | |
| html_content = response.html.html | |
| soup = BeautifulSoup(html_content, 'html.parser') | |
| print(soup.find('h4', id='results').text) | |
| # Find the table containing the data | |
| table_data = soup.find('table') | |
| # Extract the rows from the table | |
| rows = table_data.find_all('tr') | |
| # Loop through the rows and extract the data from each cell | |
| data = {} | |
| for row in rows: | |
| cells = row.find_all('td') | |
| if len(cells) == 2: | |
| key = cells[0].text.strip() | |
| value = cells[1].text.strip() | |
| data[key] = value | |
| # Extract "Total scans so far" from the strong tag inside the p tag with class "total" | |
| total_scans_element = soup.find('p', class_='total') | |
| # Print the extracted data in the desired format | |
| for key, value in data.items(): | |
| print(f"{key}: {value}") | |
| print('Total scans so far:', total_scans_element.text) | |
| # Find the div with class 'chip' and id 'notsafe' | |
| alert = soup.find('div', {'class': 'chip', 'id': 'notsafe'}) | |
| safe_alert = soup.find('div', {'class': 'chip', 'id': 'safe'}) | |
| # Print the vulnerability status | |
| if alert: | |
| print("VULN or Not:", alert.text) | |
| if alert.text.strip() == "It is vulnerable to clickjacking attack.": | |
| how_to_protect = ''' | |
| \t How To Protect Your Website From Clickjacking | |
| [+] X-Frame-Options | |
| 1. X-FRAME-OPTIONS: DENY | |
| 2. X-FRAME-OPTIONS: SAMEORIGIN | |
| 3. X-FRAME-OPTIONS: ALLOW-FROM https://example.com | |
| [+] Content-Security-Policy | |
| 1. Content-Security-Policy: frame-ancestors 'none' | |
| 2. Content-Security-Policy: frame-ancestors 'self' | |
| 3. Content-Security-Policy: frame-ancestors https://example.com | |
| [+] Frame busting | |
| <style> | |
| /* Hide page by default */ | |
| html { display : none; } | |
| </style> | |
| <script> | |
| if (self == top) { | |
| // Everything checks out, show the page. | |
| document.documentElement.style.display = 'block'; | |
| } else { | |
| // Break out of the frame. | |
| top.location = self.location; | |
| } | |
| </script> | |
| [+] Code Snippets | |
| 1. NodeJS | |
| response.setHeader("X-Frame-Options", "DENY"); | |
| response.setHeader("Content-Security-Policy", "frame-ancestors 'none'"); | |
| 2. Java | |
| public void doGet(HttpServletRequest request, HttpServletResponse response) | |
| { | |
| response.addHeader("X-Frame-Options", "DENY"); | |
| response.addHeader("Content-Security-Policy", "frame-ancestors 'none'"); | |
| } | |
| 3. PHP | |
| response.setHeader("X-Frame-Options", "DENY"); | |
| response.setHeader("Content-Security-Policy", "frame-ancestors 'none'"); | |
| 4. Python | |
| response.headers["X-Frame-Options"] = "DENY" | |
| response.headers["Content-Security-Policy"] = "frame-ancestors 'none'" | |
| [+] Web Server & Frameworks config: | |
| 1. Apache | |
| Enable mod_headers using this command: | |
| a2enmod headers | |
| Restart the apache server | |
| sudo service apache2 restart | |
| Open and edit the config file in sites-available folder | |
| sudo nano 000-default.conf | |
| Add the following lines in <Virtual host> | |
| Header set X-Frame-Options "DENY" | |
| Header set Content-Security-Policy "frame-ancestors 'none'" | |
| 2. Nginx | |
| Open and edit the config file in sites-available folder | |
| sudo nano default | |
| Add the following lines in {Server block} | |
| add_header X-Frame-Options "DENY"; | |
| add_header Content-Security-Policy "frame-ancestors 'none'"; | |
| Restart the nginx server | |
| sudo service nginx restart | |
| 3. Wordpress | |
| Open and edit the wp-config.php file | |
| sudo nano wp-config.php | |
| Add the following lines in the end of the file | |
| header('X-Frame-Options: SAMEORIGIN'); | |
| header("Content-Security-Policy: frame-ancestors 'none'"); | |
| ''' | |
| print(how_to_protect) | |
| else: | |
| print("VULN or Not:", safe_alert.text) | |
| print("Website is not vulnerable to clickjacking.") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ClickJacking Detected
Not ClickJacking Detected