DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • 4 Essential Strategies for Enhancing Your Application Security Posture
  • Obfuscation vs Encryption: How to Protect Your .NET Code the Right Way
  • Create Proxy Application for Mule APIs
  • iOS Application Security for Beginners

Trending

  • Mastering Advanced Aggregations in Spark SQL
  • How Can Developers Drive Innovation by Combining IoT and AI?
  • Memory Leak Due to Time-Taking finalize() Method
  • Developers Beware: Slopsquatting and Vibe Coding Can Increase Risk of AI-Powered Attacks
  1. DZone
  2. Coding
  3. Languages
  4. Secure .NET Core Applications From ClickJacking: .NET Core Security Part III

Secure .NET Core Applications From ClickJacking: .NET Core Security Part III

We continue our look at .NET Core security by examining ClickJacking and how to prevent this type of cyberattack in your web app.

By 
Neel Bhatt user avatar
Neel Bhatt
·
Mar. 13, 18 · Tutorial
Likes (3)
Comment
Save
Tweet
Share
16.7K Views

Join the DZone community and get the full member experience.

Join For Free

600x400-Clickjacking-En-01png

In these series of posts, we will go over how to secure your .NET Core applications.

In this post, we will look at how to secure your .NET Core application from a ClickJacking attack.

What Is ClickJacking?

Per OWASP:

"Clickjacking, also known as a ' UI redress attack,' is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is ' hijacking' clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both."

For example:

  • A malicious website invites the user to click a button by showing some ad.
  • The user does not know that the malicious site might have put a Transfer Money button just behind the submit button in such a way that user cannot see the transfer button.
  • The user’s authentication details are then readily available to the hackers. And, if the browser contains the user's authentication protocols to his/her bank account, then the attacker has access to that account.
  • Additionally, the malicious site can pull the details of the user’s bank account by showing the bank’s site in a frame.
  • When the user clicks on the button, the amount will be transferred from the user’s account to the hacker’s account.

How to Prevent This?

We need to prevent our site to open in a frame or we can allow our site to be opened in a frame only for same domain or any specific domain.

We can prevent this by adding some extra headers which are:

  • X-FRAME-OPTIONS : DENY

This prevents the browser from showing this page in an iFrame:

  • X-FRAME-OPTIONS : SAMEORIGIN

This allows frame in own domain:

  • X-FRAME-OPTIONS : ALLOW-FROM https://mysite.com

This allows frame in any specific domain

How to Prevent This in .NET Core

In .NET Core, we can add these headers in the Configure method of Startup.cs class as below:

app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Frame-Options", "DENY"); // This
context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN"); // Or this
await next();
});

Or you can use the NWebSec Nuget package which allows you to do this in the middleware.

First, install the NWebSec Nuget package:

ssl5

And then add below line in the Configure method of the Startup.cs class:

app.UseXfo(0 => o.Deny());

Important Notes –

  • If you are using the AntiForgery token in your application then this token by default sets X-Frame-Option with value SAMEORIGIN to prevent the site from ClickJacking.
  • So if you are using AntiForgey along with the options I mentioned above then it may create some problems because, along with our changes for ClickJacking, the AntiForgeryToken also tries to set the headers.
  • If you want to disable setting headers for frames in AntiForgeyToken then simply add the below line:
services.AddAntiforgery(o => o.SuppressXFrameOptionsHeader = true);

This will disable that header in Antiforgery and we can handle the ClickJacking on our own. (Ref – https://github.com/aspnet/Mvc/issues/3958)

Hope this helps!

application .NET security

Published at DZone with permission of Neel Bhatt, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • 4 Essential Strategies for Enhancing Your Application Security Posture
  • Obfuscation vs Encryption: How to Protect Your .NET Code the Right Way
  • Create Proxy Application for Mule APIs
  • iOS Application Security for Beginners

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!