Clickjacking Attack Vulnerability

What is a Clickjacking Attack?

A Clickjacking attack is a technique that uses some transparent or opaque layers by which a user can be tricked into clicking on a hidden button or linking it on a web page. From which user will redirect you to a malicious page or links.

It refers to any attack where the user unintentionally clicks an unexpected web page that will be open.

Similarly other names for Clickjacking:

  1. User Interface redress attack
  2. UI redress attack or UI redressing.

How does Clickjacking work?

A clickjacking attack is a feature of HTML and JavaScript which forces the victim to perform undesired actions, by clicking on a button that attacks the victim.

In other words, a “client-side” security issue that affects a variety of browsers and platforms. To carry out this type of technique, the attacker must create a malicious web page that loads the target application through the use of an Iframe.

However, the attacker convinces the victim to interact with his fake website.

It’s like a social engineering attack where the attacker manipulates the victim to the malicious page.

Mostly is in login pages and payment portals and it is critical on payment portal pages.

Example of Attacker:-

A basic scenario of click-jacking
This is the basic scenario of clickjacking

The attacker sends a link to the target website through email or social media to the victim and he opens the malicious link in the browser.

An example of Clickjacking Attack

Meanwhile, the victim views the web page which looks like a legitimate website. The attacker adds the transparent layer of iframe on it, making it clickable by attaching some malicious links.

How Clickjacking Attack works
How Clickjacking Attack works

After clicking on this page at any location, it redirects to the vulnerable web page.

Clickjacking Attack
Another example of How a Clickjacking Attack works

Mitigation

X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether a browser should be able to render a page in a <frame>, <iframe>, or <object>. Sites using this to prevent clickjacking attacks ensure their content is not on other sites.

Likewise, additional security is only provided if the user accessing the document is using a browser that supports X-Frame-Options.

Header always set X-Frame-Options SAMEORIGIN, DENY, and “ALLOW-FROM URI”

Frame-Killing

In older browsers, the most common way to protect users against clickjacking includes frame-killing JavaScript. The snippet in pages prevents them from being in foreign iframes.

Leave a Comment

Your email address will not be published. Required fields are marked *