Clickjacking

Definition:

Clickjacking, also known as a "UI redress attack", is an attack where the attacker tricks a user into clicking something different from what the user perceives, effectively hijacking the user's clicks. This is often achieved by using transparent or opaque layers to deceive the user into performing unintended actions on a visible but concealed web page beneath.

Key Points:

Clickjacking exploits the way browsers handle content embedding and layering.
The user interacts with hidden elements thinking they are interacting with the visible elements.

Attack Scenario:

Attacker creates a malicious webpage.
This page contains an iframe embedding the target web page (e.g., a social media site).
The iframe's opacity is set to zero, making it invisible.
Over the invisible iframe, enticing content is placed (e.g., a button claiming to play a video).
The user, attempting to interact with the enticing content, inadvertently interacts with the invisible iframe content, perhaps "liking" a post or changing settings.

Example Attack:

html

<html>
<head>
    <style>
        #evilButton {
            position: absolute;
            top: 50px;
            left: 50px;
        }

        #hiddenIframe {
            opacity: 0;
            position: absolute;
            top: 50px;
            left: 50px;
            width: 100px;
            height: 50px;
        }
    </style>
</head>
<body>
    <button id="evilButton">Click to win a prize!</button>
    <iframe id="hiddenIframe" src="http://socialmedia.com/changePassword?newPassword=evilPassword"></iframe>
</body>
</html>

In the example, if a logged-in user of socialmedia.com visits this malicious page and clicks on the "Click to win a prize!" button, they'd actually be changing their password on socialmedia.com without realizing it.

Common Targets:

Social media actions (e.g., liking a post).
Changing user settings.
Initiate transactions or changing account details.
Any clickable web action that has side effects.

Mitigation:

X-Frame-Options Header:
- Set this HTTP header to either DENY (no framing allowed) or SAMEORIGIN (only allows framing by pages on the same origin as the content).
Example:
```
http
```

```
X-Frame-Options: DENY
```
Frame-Breaker Scripts:
- Use JavaScript to prevent your site from being framed. If your site finds itself being framed, the script can redirect the top-level window.
Example:
```
javascript
```

if (top != self) {
    top.location = self.location;
}

Content Security Policy (CSP):
- Use the frame-ancestors directive in CSP to specify which sites are allowed to frame your content.
Example:
```
http
```

Content-Security-Policy: frame-ancestors 'none'

Visible Borders:
- If your site is framed, make sure there's a visible and distinctive border, indicating to the user that content is embedded from another site.
User Action Verification:
- For critical actions (e.g., changing account settings), require re-authentication or a CAPTCHA.

Detection:

Manual Testing:
- Look for critical actions on your site that don't have protections against framing.
Automated Tools:
- Tools like Burp Suite and OWASP ZAP have checks for missing clickjacking protections.

Miscellaneous Notes:

Modern browsers have built-in protections, but relying solely on them is not advisable.
Clickjacking is more about deceiving the user rather than exploiting a software vulnerability.

Conclusion:

Clickjacking manipulates the user's trust in the UI to deceive them into performing unintended actions. It's crucial to implement measures like setting appropriate headers or using scripts to prevent your pages from being embedded maliciously. By doing so, you protect not only the integrity of your application but also the trust users place in your UI. Regular testing for clickjacking vulnerabilities and understanding the potential risks associated with UI interactions can significantly reduce the threat.

PreviousBuffer Overflows NextClient-Side Request Forgery

Last updated 2 years ago