A website is a set of HTML files connected through hypertext links, stored on a web server, i.e., a computer permanently connected to the Internet. With the advance of technologies, the use of websites has become part of our daily lives. In this context, website security has become one of the main requirements for users, developers, and organizations. Malicious users are using increasingly sophisticated methods to compromise the security of websites, and one of the techniques used by these malicious users is clickjacking.

Clickjacking, also known as a "UI redress attack", is a malicious technique whose goal is to trick a web user into selecting something other than what the user perceives they are selecting, thereby revealing confidential information. Clickjacking allows a hacker to insert an invisible layer into the website, between its commands and what the user sees on the device's screen.

One of the best-known examples of clickjacking was an attack against adobe flash's plugin settings page. By loading this page in an invisible iframe, an intruder could trick a user into changing Flash's security settings, allowing any Flash animation to use the computer's microphone and camera.

According to the nature of the attack, clickjacking has several types:

- Cursorjacking: This technique allows changing the position of the cursor to a place other than where the user perceives it. Thus, the user believes he is doing one action while he is doing another.

- Likejacking: This type of attack aims to collect users' clicks and direct them to "likes" on Facebook pages or other social networks.

- Cookiejacking: In this case, the user is tricked into interacting with a UI element by providing the intruder with cookies stored in the browser. This way an intruder can perform actions on the target website on behalf of the user.

- Filejacking: With this type of attack, the user allows the intruder to access their local file system.

- Password manager attacks: This type of attack aims to trick password managers to take advantage of their autofill feature.

It is difficult to recognize clickjacking because it is often invisible, however, it may contain elements that reveal its presence to the user. For example, some ads and calls with spelling mistakes may be an indication that there is an attempt at clickjacking. On social media, clickjacking can be recognized when someone shares strange content, usually with a link to access it.

Tests should be conducted to determine if the site's pages are vulnerable to attacks from this type of vector. Pentesters can investigate whether a target page can be loaded into an iframe by creating a simple web page that includes an iframe containing the target page. An example of HTML code to create this test web page is shown below: Clickjacking

There are three methods you can use to defend against clickjacking:

-Prevent the browser from loading the page in an iframe using HTTP headers (X-Frame-Options or Content Security Policy- CSP).

- Prevent session cookies from being included when the page is loaded in an iframe using the SameSite cookie attribute.

- Implementing JavaScript code on the page to try to prevent it from loading in an iframe (known as "frame-buster").

These methods are all independent of each other, and whenever possible more than one of them should be implemented to provide the defense in depth.

The action of clickjacking can cause various damages since through one-click, we can be infected by different malware and even allow third parties to make use of the camera or microphone of our device. Not even our email and social networks are immune to this type of attack.

By: Daniel Morais, Pentester at Hardsecure.

How can we help?
Contact Us