Clickjacking, a malicious UI attack that tricks users into clicking on an invisible or disguised element.
How is clickjacking possible
Clickjacking is possible thanks to 2 things:
- The HTML frames (iframes), this give you the ability to show on your webpage a page of another website inside a frame
- An unprotected website, this website allows itself to be framed on other website.
The user see the normal UI of the web page, but in fact, there's a secondary UI that is not from the web page. This secondary UI can be entirely invisible or can be disguised in the same look and feel as the web page it self.
This way, the user thinks that when he clicks on something, it's from the original web page. But, it's not, it's a clickable element from the invisible or disguised UI.
By clicking on such element, you can either trigger a malicious script from the attacker, but it's also possible that the script does the same thing as the buttons on the original webpage it self. This way it looks like there's nothing wrong you won't notice that there's a clickjacking attack ongoing.
We're able to split clickjacking in to different categories according to the action and method:
- Password manager attack
Classic clickjacking is when the attackers uses hidden or disguised layers on web page to trick the user. The users click triggers the malicious script of the attacker.
This can be a simple download of a file but it can also trick you in to buying something on a website.
Likejacking is when the attacker tricks the user into "liking" a social media page/post/account that they don't want the "like".
Nested clickjacking works almost the same way as classic clickjacking.
In the classic method, there are 2 layers, the original harmless webpage and the malicious webpage.
The nested method uses 3 layers, 2 with the original harmless webpage and "nested" between them is the malicious webpage.
This method is possible thanks to a vulnerability in the HTTP header X-Frame-Options when this element has the value "SAMEORIGIN".
Cursorjacking change the possition of the cursor of the user.
For example: You answer "Yes" instead of "No" in a form or you "enable" your webcam instead of "disable" in a chatroom.
Mousejacking is not a UI attack like the other clickjacking techniques, but it's a wireless hardware-based UI vulnerability.
We speak of mousejacking when a vulnerable dongle allows a wireless external keyboard input to be injected.
Browserless clickjacking is like the classic technique but instead of happening in a web browser, it's happening in vulnerable programs.
Cookiejacking is when the attacker tricks you into selecting entire content from a cookie.
This is usually been done by tricking the user into dragging an object from one point to another point.
It looks harmless but in fact, you are selecting the entire content of a cookie.
Filejacking makes it possible for the attacker to access and take files from the victims computer.
The attacker use for this the standard web browser function to navigate through the files on the computer.
Password manager attack
Password manager attacks makes use of the vulnerability in some password managers who would insecurely auto fill in passwords.
How to defend against clickjacking
At the moment, there's no perfect defence against clickjacking. But, there are several actions you can take to reduce the risk.
- commercial products
- Content Security Policy (CSP)
Defend against clickjacking with commercial products
You can consider to buy a commercial product that need to be installed on your device to help you defend against different techniques of clickjacking.
This method can maybe work well on de device where the product is installed, but then you are still defenceless on your other devices and smartphones.
Defend against clickjacking with the X-Frame-Options
The X-Frame-Options HTTP header is another option to defend against clickjacking.
This method allows an application to decide how the frame can be used.
X-Frame-Options possibilities are:
- X-Frame-Options: DENY
- X-Frame-Options: SAMEORIGIN
- X-Frame-Options: ALLOW-FROM https://example.be/
Defend against clickjacking with Content Security Policy (CSP)
A more modern option to defend against clickjacking is to use Content Security Policy (CSP) frame-ancestors.
This method allows an application to disallow all frame use or to specify where frame use is allowed.
CSP possibilities are:
- Content-Security-Policy: frame-ancestors 'none'
- Content-Security-Policy: frame-ancestors 'self'
- Content-Security-Policy: frame-ancestors example.be
How to test if your website is protected against clickjacking
There are many ways to test if your website is protected against clickjacking.
One of the easiest tools is clickjacker.io.
Clickjacking is just one of many malicious attacks that can be used on your website.
You might not have the skills not the the time to keep your website protected against malicious attacks.
jCreativeWeb can help you with that.