🧠 ज्ञान उद्यान

Clickjacking

5 min read

What is Clickjacking?

Clickjacking, also known as a “UI redress attack” is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website. In simple words, an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

How does Clickjacking work?

Clickjacking works by using an iframe to load a vulnerable website on top of an attacker’s controlled domain.

Let’s take an example

Website A : A website vulnerable to clickjacking which says that “You won a free iPhone!” so that the victim gets lured by “Claiming the Prize!“. Website B : It is an attacker controlled website wherein you have the option to “Pay”.

This is the exact scenario of how Clickjacking works. Attackers create an attractive website, in our case website A, to lure the victim. Create an iframe and load it in the attacker controlled domain which is website B. In this manner the attacker manages to fool the victim and make him pay while attracting him for a free prize!

Severity

Clickjacking based vulnerabilities are one of the simple bugs to find and are classified into two types:

  1. Clickjacking on Non-Sensitive Pages
  2. Clickjacking on Sensitive Pages

Clickjacking on Non-Sensitive Pages are generally considered as Informational and categorized as P5 vulnerability where-as Clickjacking on Sensitive Pages are categorized as P4.

Clickjacking on sensitive pages can also increase the impact of account takeover and hence can sometimes go up to P3 category.

How to demonstrate Clickjacking vulnerabilities

To demonstrate Clickjacking vulnerabilities, we first need to check for X-Frame-Options.

X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value “X-Frame-Options: SAMEORIGIN”.

To check if a website has X-Frame-Options set or not simply go to https://securityheaders.com/, Over here simply type-in the website you want to check for and hit Scan.

  • Clickjacking on non-sensitive pages To demonstrate clickjacking on non-sensitive pages replace {URL} with the URL of the vulnerable target in the below HTML file, save and run in the web browser. Take a snapshot as your proof of concept (POC).
<html>
	<head>
		<title>Clickjack test page</title>
	</head>
	<body>
		<p>Website is vulnerable to clickjacking!</p>
		<iframe src="{URL}" width="500" height="500"></iframe>
	</body>
</html>

  • Clickjacking on sensitive pages Try to mask fields accepting sensitive input with your(attacker) HTML which if triggered with inputs by the victim will send information back to attacker.

    There are many resources to simulate this, to keep things easy let’s use https://hacktify.in/clickjacking/. Here proceed as instructed to map attacker input fields onto websites vulnerable to clickjacking.

Impact of Clickjacking

Attackers may abuse clickjacking vulnerabilities for many different purposes:

  1. To gain followers on social media and then, possibly, sell the social media account/page for mass marketing.
  2. To gain email or RSS subscribers for the same purpose as social media followers.
  3. To use the fact that the user is logged into their e-commerce account and have them buy products on behalf of the attacker.
  4. To have the user unknowingly transfer funds to the attacker.
  5. To have the user download malware (e.g. a trojan).

In general, clickjacking uses depend only on the attacker’s imagination and on finding a vulnerable tool page to use for that purpose.

Clickjacking Prevention

  1. Content Security Policy (CSP) Content Security Policy (CSP) is a detection and prevention mechanism that provides mitigation against attacks such as XSS and clickjacking. CSP is usually implemented in the web server as a return header of the form: Content-Security-Policy: policy

    where policy is a string of policy directives separated by semicolons. The CSP provides the client browser with information about permitted sources of web resources that the browser can apply to the detection and interception of malicious behaviors.

    The recommended clickjacking protection is to incorporate the frame-ancestors directive in the application’s Content Security Policy. The frame-ancestors 'none' directive is similar in behavior to the X-Frame-Options deny directive. The frame-ancestors self' directive is broadly equivalent to the X-Frame-Options sameorigin directive.

  2. X-Frame-Options Header Types There are three possible values for the X-Frame-Options header:

    • DENY , which prevents any domain from framing the content. The DENY setting is recommended unless a specific need has been identified for framing.
    • SAMEORIGIN , which only allows the current site to frame the content.
    • ALLOW-FROM uri, which permits the specified ‘uri’ to frame this page. (e.g., ALLOW-FROM http://www.example.com ).

References

portswigger OWASP

Graph View

Backlinks