Clickjacking defense
Clickjacking was covered in Chapter 5, Attacking Authentication, and is the technique where an attacker tricks a user into clicking on something other than what they believe they are clicking on. One of the best ways to protect against clickjacking is by running the noscript extension for Firefox or Chrome browsers. This will prevent unauthorized code from running in your web browser. Noscript can detect unauthorized scripts, alert the user of the script and prevent the script from running. Users have the ability to turn off scripting controls globally per session or per website.
The authors of this book are big fans of noscript; however, you should encourage web developers to set up X-Frame-Options header in HTTP responses to mitigate this risk in web applications. Furthermore, some application delivery controller appliances (ADCs), give administrators the option of writing custom scripts that can also help mitigate this risk.
Tip
Some websites may have legitimate reasons...
