Recently I’ve come across a new PCI compliance failure “Web Application Potentially Vulnerable to Clickjacking”.

What is Clickjacking ?

Clickjacking uses IFrames to basically put a tranparent layer over a website and therefore can hijack the clicks and keystrokes the user enters.  This is also known as a “UI redress attack” as it is changing the Users Interface.

This means users can be fooled into giving up usernames and passwords when they think they are logging into legitimate web sites, not realising there is a layer intercepting these details between them and the legitimate site.

How to fix this vulnerability

In order to prevent clickjacking on websites you look after, you need to prevent your web site appearing in iFrames.

IIS

The site I look after was running an SBS 2008 server and these are the steps I took.

Open IIS Manager and navigate to the Default web site.

Open HTTP Response Headers and click Add under the actions menu.

Enter a Name of X-FRAME-OPTIONS and a Value of SAMEORIGIN

I then restarted IIS by running iisreset from an elevated command prompt.

I have since reran the PCI compliance scan

Apache

To configure Apache you need to add the following line to your configuration :

Header always append X-Frame-Options SAMEORIGIN

You can find out more here :

https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
and
https://www.owasp.org/index.php/Clickjacking