-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathclickjacking.py
46 lines (43 loc) · 1.95 KB
/
clickjacking.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import requests, argparse #argparse for parsing command-line arguments
# Function to check if a website is vulnerable to clickjacking
def check_clickjacking(url):
try:
# Add https:// schema if not present in the URL
if not url.startswith('http://') and not url.startswith('https://'):
url = 'https://' + url
# Send a GET request to the URL
response = requests.get(url)
headers = response.headers
# Check for X-Frame-Options header
if 'X-Frame-Options' not in headers:
return True
# Get the value of X-Frame-Options and check it
x_frame_options = headers['X-Frame-Options'].lower()
if x_frame_options != 'deny' and x_frame_options != 'sameorigin':
return True
return False
except requests.exceptions.RequestException as e:
print(f"An error occurred while checking {url} - {e}")
return False
# Main function to parse arguments and check the URL
def main():
parser = argparse.ArgumentParser(description='Clickjacking Vulnerability Scanner')
parser.add_argument('url', type=str, help='The URL of the website to check')
parser.add_argument('-l', '--log', action='store_true', help='Print out the response headers for analysis')
args = parser.parse_args()
url = args.url
is_vulnerable = check_clickjacking(url)
if is_vulnerable:
print(f"[+] {url} may be vulnerable to clickjacking.")
else:
print(f"[-] {url} is not vulnerable to clickjacking.")
if args.log:
# Add https:// schema if not present in the URL for response printing
if not url.startswith('http://') and not url.startswith('https://'):
url = 'https://' + url
print("\nResponse Headers:")
response = requests.get(url)
for header, value in response.headers.items():
print(f"{header}: {value}")
if __name__ == '__main__':
main()