What is a Clickjacking Attack?
A Clickjacking attack is a technique that uses some transparent or opaque layers by which a user can be tricked into clicking on a hidden button or linking it on a web page. From which user will redirect you to a malicious page or links.
It refers to any attack where the user unintentionally clicks an unexpected web page that will be open.
Similarly other names for Clickjacking:
- User Interface redress attack
- UI redress attack or UI redressing.
How does Clickjacking work?
In other words, a “client-side” security issue that affects a variety of browsers and platforms. To carry out this type of technique, the attacker must create a malicious web page that loads the target application through the use of an Iframe.
However, the attacker convinces the victim to interact with his fake website.
It’s like a social engineering attack where the attacker manipulates the victim to the malicious page.
Mostly is in login pages and payment portals and it is critical on payment portal pages.
Example of Attacker:-
The attacker sends a link to the target website through email or social media to the victim and he opens the malicious link in the browser.
Meanwhile, the victim views the web page which looks like a legitimate website. The attacker adds the transparent layer of iframe on it, making it clickable by attaching some malicious links.
After clicking on this page at any location, it redirects to the vulnerable web page.
The X-Frame-Options HTTP response header can be used to indicate whether a browser should be able to render a page in a <frame>, <iframe>, or <object>. Sites using this to prevent clickjacking attacks ensure their content is not on other sites.
Likewise, additional security is only provided if the user accessing the document is using a browser that supports X-Frame-Options.
Header always set X-Frame-Options SAMEORIGIN, DENY, and “ALLOW-FROM URI”