A website is a set of HTML files connected through hypertext links, stored on a web server, i.e., a computer permanently connected to the Internet. With the advance of technologies, the use of websites has become part of our daily lives. In this context, website security has become one of the main requirements for users, developers, and organizations. Malicious users are using increasingly sophisticated methods to compromise the security of websites, and one of the techniques used by these malicious users is clickjacking.
Clickjacking, also known as a "UI redress attack", is a malicious technique whose goal is to trick a web user into selecting something other than what the user perceives they are selecting, thereby revealing confidential information. Clickjacking allows a hacker to insert an invisible layer into the website, between its commands and what the user sees on the device's screen.
One of the best-known examples of clickjacking was an attack against adobe flash's plugin settings page. By loading this page in an invisible iframe, an intruder could trick a user into changing Flash's security settings, allowing any Flash animation to use the computer's microphone and camera.
According to the nature of the attack, clickjacking has several types:
It is difficult to recognize clickjacking because it is often invisible, however, it may contain elements that reveal its presence to the user. For example, some ads and calls with spelling mistakes may be an indication that there is an attempt at clickjacking. On social media, clickjacking can be recognized when someone shares strange content, usually with a link to access it.
Tests should be conducted to determine if the site's pages are vulnerable to attacks from this type of vector. Pentesters can investigate whether a target page can be loaded into an iframe by creating a simple web page that includes an iframe containing the target page. An example of HTML code to create this test web page is shown below:
There are three methods you can use to defend against clickjacking:
-Prevent the browser from loading the page in an iframe using HTTP headers (X-Frame-Options or Content Security Policy- CSP).
- Prevent session cookies from being included when the page is loaded in an iframe using the SameSite cookie attribute.
These methods are all independent of each other, and whenever possible more than one of them should be implemented to provide the defense in depth.
The action of clickjacking can cause various damages since through one-click, we can be infected by different malware and even allow third parties to make use of the camera or microphone of our device. Not even our email and social networks are immune to this type of attack.