menu
close_24px

Clickjacking

What is Clickjacking?

Clickjacking is an appsec threat in which hackers trick users into clicking on a link that appears legitimate but actually redirects them to a malicious destination. This technique exploits the user’s trust, making them think they are interacting with a normal application interface.

In reality, a hidden layer controls their actions, leading to unintended and potentially harmful outcomes. Users believe they are making safe clicks, but the hidden interface executes malicious actions without their knowledge.



Also known as:
User interface (UI) redressing


Redressing or IFRAME overlay are other terms for clickjacking.

In many circumstances, the user may be unaware that their clicks aren't going where they're intended to, which might expose them to various risks.

The hacker has numerous options for exploiting the misdirected clicks. Mirroring a login and password form on a website is typical clickjacking. The user believes they are putting information into a standard format, but they are entering it into fields that the hacker has superimposed. You can read about how hackers hack at Appknox.

Links can be concealed behind media to initiate a specific action, such as a Facebook page or purchasing a product from Amazon. For the assault to be effective, the user may need to satisfy particular requirements, such as remaining signed in to social media accounts.

If a person is duped into downloading anything on their computer, they will be dealing with a hacked machine. They will remove the infection using an anti-virus check in the best-case scenario. They'd have to reformat their computer and reinstall the operating system in the worst-case scenario.

When a Javascript popup asks for permission to access this information, clickjacking can turn system functionality on and off, such as activating your microphone and camera.

 

Is There Any Protection Against Clickjacking?

There are no foolproof safeguards against clickjacking. However, there are steps you may take to lower your risk.

Disabling JavaScript on the client-side is beneficial, but many sites rely on it; turning it off leaves many inoperable sites.

Some commercial products can give protection while attempting not to interfere with the actual use of iframes. This works well within an organisation where the goods can be distributed to staff PCs, but it does little to safeguard customers who use the firm's websites.

Clickjacking Attacks and Their Types

Clickjacking is a large range of attack routes and tactics known as UI redress assaults.

Based on the usage of overlay material, attacks may be classified into two broad groups – Overlay-based and Non-overlay based. 

1. Overlay-based

Overlay-based assaults are the most prevalent, and the most common technological strategy is to embed websites in invisible iframes. Again, overlay-based clickjacking is classified into numerous categories.

Complete Transparent Overlay 

It is the strategy utilised in our last example. A normal fine page (referred to as a tool page) is layered on a carefully prepared malicious website. By choosing a higher z-index value, the tool page is loaded inside an unseen iframe and positioned above the visible page.

Cropping: 

For this attack, the attacker overlays only selected controls from the transparent page on the visible page. Depending on the aim of the attack, this could mean covering buttons with invisible hyperlinks to trigger a different action than expected, covering text labels with misleading instructions, replacing button labels with false commands, or covering up the entire legitimate page with misleading content, leaving only one original button exposed.

Hidden overlay: 

It was the first demonstrated approach to clickjacking. The attacker creates a 1x1 pixel iframe containing malicious content and positions it under the mouse cursor, so the cursor hides it, but any click will register on the malicious page.

Click event dropping: 

The legitimate page is displayed in the foreground, completely obscuring the malicious page behind it. The attacker sets the CSS pointer-events property of the top to none, causing click events to “drop” through the overlaid legitimate page, only registering on the malicious page below.

Rapid content replacement:

 Opaque overlays are used to cover up the targeted controls, only removed for a fraction of a second to register the click and immediately replaced. This requires the attacker to predict the exact moment of the victim’s click, but with a little knowledge of computer user habits and psychology, it’s easier than it sounds.

 

2. Non-overlay Based

Even without exploiting clickjacking vulnerabilities to insert overlays, attackers have many options for tricking users into clicking unexpected controls.

Cropping

In this technique, the attacker only overlays some controls from the transparent page on the visible page. Hidden overlay: This was the first method of clickjacking that was demonstrated. The attacker places a 1x1 pixel iframe with malicious content beneath the mouse pointer, such that the cursor conceals it, but any click will register on the infected page.

Scrolling

The attacker slides a valid dialogue box or other web page element half off the screen, so the victim only sees a portion of the controls. For example, a warning dialogue may be scrolled off the screen, leaving only the OK and Cancel buttons visible. The attacker arranges harmless prompt text to make it appear that the controls relate to this message rather than a warning.

Repositioning

In this approach, the attacker must quickly relocate a trusted dialogue (or another UI element) under the cursor while the victim is preoccupied with clicking other, seemingly innocent-looking things. If this is successful, the user will intuitively click the replacement control before realizing anything has changed. 

How to Prevent Clickjacking?

There are two main strategies to protect yourself from clickjacking:

Client-side approaches, the most prevalent of which is known as Frame Busting. Sometimes, client-side methods can be useful, but they are not the best practices since they are readily circumvented.

The most frequent server-side approach is X-Frame-Options. Security experts advocate server-side approaches as a viable strategy to guard against clickjacking.