Clickjacking: What it is and How to Stop it

Clickjacking is a form of cyber-attack where hackers try to fool users into clicking an unprecedented web page component unintentionally.

The majority of Clickjacking techniques take advantage of HTML iframe flaws. Hence page framing avoidance is key. This article will explain how Clickjacking occurs, how it may be stopped, and why it is a persistent concern of application security.

Photocredit: Dublin Tech Summit

What is ClickJacking?

Any attack in which a user is lured to mistakenly click an unforeseen web page element is known as Clickjacking. The term originated from click hijacking, and the method is most frequently used to infect web pages by projecting malicious elements over a legitimate page or by superimposing a transparent page over a visible one.

When a user clicks an item that appears to be harmless on the visible page, they are basically clicking the corresponding address on the overlaid page, and the click causes a malicious action to be performed, such as siphoning money from the user’s bank account or falsely liking or following them on social media.

How a Typical Clickjacking Attack Looks Like

The most popular method of Clickjacking involves when a user is given a combination of two web pages that are superimposed in the browser window along with some sort of motive to click in specific locations.

The attacker begins by loading the weak target website into an iframe, setting it to full transparency, then positioning the frame in front of a harmful web page designed to induce clicks at strategic locations.

Imagine, for instance, an engaging browser-based game that opens in a popup window and offers rewards or interesting content to the winners. The game might be displayed as the background page, with the desired web application, such as banking, investment, or shopping website, placed on top of it in a frame that is entirely transparent.

The attacker designs the game page to have clickable elements in the same location as chosen controls on the targeted website. The user is instead clicking invisible controls on the exposed web page when trying to click in-game items, which could have negative impacts.

Based on the website used, the victim may be unintentionally giving 5-star ratings, liking shady Facebook pages, granting access to Facebook applications, or even logging in via SSO schemes.

In addition to tricking the user into filling out text fields on a website form or CAPTCHAs, the attack may also leverage drag-and-drop methods. In this instance, carefully planned game interactions result in the user unintentionally dragging text on the hidden page and dropping it on a form field.

Types of ClickJacking

The word “clickjacking” is used to refer to a wide range of attack vectors and methodologies collectively known as UI redress attacks. Based on how overlaid content is used, attacks can be categorized into two broad kinds. The majority of these attacks are overlay-based, and the most frequent move here is to embed pages in hidden iframes. There are various categories of overlay-based Clickjacking:

• Full Transparent Overlay: This is the technique utilized in our already explained example, where a transparent normal page—here referred to as a tool page—is placed on top of a craftily designed malicious website. By choosing a higher z-index value, the tool page is loaded inside an unseen iframe and placed above the visible page. This technique was applied to the Adobe Flash plug-in settings page in one of the earliest high-profile clickjacking attempts to deceive users into granting Flash animations access to the computer’s camera and microphone.
• Hidden Overlay: This was the pioneer method of Clickjacking that was depicted. The attacker makes a 1×1 pixel iframe with malicious content and places it underneath the mouse cursor so that it is not visible to the user but is still clickable and directs the user to the harmful page.
• Speedy Content Replacement: The targeted controls are hidden by opaque overlays, which are quickly reinstalled after being temporarily removed to register a click. This calls for the attacker to anticipate the precise moment the victim will click, but with some understanding of computer user behavior and habits, it’s simpler than it sounds.
• Cropping: In this method, only a few controls from the transparent page are superimposed on the visible page. Depending on the attack’s goal, this might entail concealing buttons with hidden hyperlinks to cause a different response than intended, masking text labels with false commands, substituting button labels for false instructions, or concealing the entire legitimate page with false information, leaving only one authentic button exposed.

Attackers have a variety of methods for deceiving users into clicking unexpected controls even without using clickjacking vulnerabilities to implant overlays. Some of these include:

• Drag-Drop: Drag-and-drop flaws can be used to trick users into performing a series of other actions, including completing web forms by moving invisible text into invisible text boxes or divulging sensitive personal information to the hacker. While most clickjacking attacks specifically target intercepting clicks, these flaws can also be used to trick users into performing other actions.
• Scrolling: A genuine dialog box or other web page element is partially scrolled off the screen by the hacker so that just a portion of the controls are visible to the user. For instance, the attacker might scroll a warning dialog off the screen so that just the YES and NO buttons are visible. The attacker would then place a harmless prompt text so that it appears as though the buttons relate to this message and not a warning.
• Repositioning: For this attack, the user must be preoccupied with clicking some other, innocent-looking item while the hacker quickly moves a trusted dialog (or any other UI element) underneath the cursor. If it works, the user won’t even be aware that something has happened before intuitively clicking the replacement control. The hacker may swiftly shift the dialog back after the click to avoid being noticed, and this is similar to speedy content replacement.

How to Prevent Clickjacking

All major prevention techniques try to restrict framing because the bulk of common clickjacking attacks requires framing at some point. In the past, breaking pages out of frames required client-side scripts, while more recent and secure methods use HTTP security headers:

• Framebreaking: Website developers were left to their own devices and had to use specialized framebuster programs to prevent their sites from being framed until support for new HTTP headers became widely available. The original frame-breaking scripts merely verified that this was the current page by checking top.location; if it wasn’t, top.location was set to self. However, more high-end solutions were created because it was simple to bypass or prevent these scripts from the outer frame.
• Yet, there are several ways to get around even the most sophisticated framebreakers. Therefore such scripts should only be used to offer basic security for legacy browsers. The strategy that is currently advised by OWASP is to conceal the whole HTML document’s body and only reveal it after confirming that the page is not framed.
• Content-Security-Policy Using Frame-Ancestors: The original purpose of the Content-Security-Policy HTTP header (CSP) was to defend against XSS and other data injection threats. It also offers a frame-ancestors directive, which may be used to indicate sources that are allowed to embed a page (in a <frame>, <iframe>, <applet>, <embed>, or <object> element).
• A simple syntax is used: “Content-Security-Policy: frame-ancestors <source1> <source2> … <sourceN>;”
• Any number of sources can be specified, and valid source values comprise host IPs or addresses, scheme kinds, “self” to define the origin of the current document, and “none” to forbid embedding altogether. Although the latter two options are typically effective for basic protection, this also allows you a great deal of flexibility for specifying sources, particularly in complicated deployments: While frame-ancestors “none” translates to deny in XFO, frame-ancestors “self” is equal to the sameorigin directive in XFO.
• The X-Frame-Options HTTP header is still the most common technique to increase overall website resilience because it closes a variety of vulnerabilities in addition to usual clickjacking efforts. Even if X-Frame-Options is technically outdated, the CSP frame-ancestors directive should offer an equal level of safety.
• However, in practice, XFO is still more frequently and consistently supported. The CSP specification states that frame-ancestors should take priority and X-Frame-Options should be discarded if both headers are supplied, although certain older browsers (including Google Chrome 40 and Mozilla Firefox 35) operate contrary.

Conclusion

A more conventional and versatile alternative of the same strategy is offered by CSP’s frame-ancestors directive, which replaces X-Frame-Options, an initial solution that was widely embraced by browser vendors. Both headers can presently effectively repel framing and frame-based Clickjacking attempts, and frame-ancestors should eventually be widely used to stop iframe exploitation.

However, keep in mind that Clickjacking is not about iframes; rather, it involves misleading the user and taking advantage of their confidence in what they see in the browser window. Defending conventional web browser access is no longer adequate due to the fact that mobile devices now account for the majority of traffic on the internet. This increases the risk of developing misleading user interfaces.

FAQs

Q: How to protect your website from a Clickjacking attack?

A: You must ensure that a malicious site cannot embed your website in an iframe to prevent it from being exploited in a Clickjacking attack. The browser can be instructed directly using HTTP headers, or with older browsers, client-side JavaScript can be used (frame-killing).

Q: What are the examples of Clickjacking? 

A: There are various Clickjacking attack techniques, including Likejacking – which is a method of manipulating the Facebook “Like” button to trick users into “liking” a page they really didn’t want to. A UI redressing technique called “cursorjacking” shifts the cursor from the place the user expects to a different position.

Q: How common is Clickjacking?

A: Clickjacking, though a very effective means for hackers to attack a website, is not very efficient in recent times due to the advancement of browsers and other innovative defense techniques. Nevertheless, some websites still use the technique to exploit users’ trust and confidence in these sites.

Q: What is the difference between Clickjacking and phishing?

A: Since phishing scams require direct communication with the victim, they differ slightly from Clickjacking. Typically, a hacker will send a false email impersonating a reputable organization in an attempt to deceive recipients into responding with personal information.

Q: What is a clickjacking cookie?

A: A type of clickjacking called cookiejacking involves the theft of cookies from web browsers. This is achieved by deceiving the user into dragging a seemingly innocent object but actually compelling them to choose the whole content of the targeted cookie.