+1 866 537 8234 | +91 265 6133021

Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Blog Home  »  Web Application Security   »   What is Clickjacking? – Types, Examples and Prevention

Managed WAF

Starts at $99

Guided onboarding, monitoring of latency, false positives, and DDoS attacks, custom rules, and more

Try Free For 14 Days

What is Clickjacking? – Types, Examples and Prevention

Posted DateMarch 21, 2024
Author Bio
Posted Time 6   min Read

Clickjacking, also known as UI redress attack or user interface (UI) manipulation, is a malicious technique used to trick users into clicking on elements of a web page without their knowledge or consent.

By overlaying transparent or opaque layers on legitimate web content, attackers can trick users into performing unintended actions, such as clicking on hidden buttons or links.

How Does Clickjacking Attack Work?

Once a user innocently clicks on an attractive link, the clickjacking attack begins its deceptive process. Here’s a simplified breakdown of how it typically unfolds:

What does a clickjacking attack work?

  • The attacker discreetly verifies if the user is logged into critical accounts, such as banking or online shopping platforms.
  • The attackers manipulate the user interface by overlaying fake buttons or links on top of real ones, creating the illusion of risk-free content.
  • When the user interacts with what appears to be a legitimate offer or action, they unknowingly click on the concealed buttons beneath the surface.
  • These hidden clicks trigger unauthorized transactions or actions without the user’s awareness or consent.
  • While the user is distracted by the fake offer or content, the attacker executes their hidden motive, such as fraudulent transfers or data theft.
  • Since the user initiated the actions while logged in, tracing the attack back to the attacker becomes challenging.

In essence, clickjacking exploits user trust and the visual presentation of web interfaces to facilitate malicious activities, posing significant risks to both users and businesses.

Strategies Used in Clickjacking Attacks

Exploiting Vulnerable Applications

Cyber-criminals exploit vulnerabilities in applications, such as the Adobe Flash Player plug-in, to access attached hardware like cameras and microphones.

Transparent Page Manipulation

Attackers leverage browser vulnerabilities to embed authenticated pages within malicious web pages. They selectively hide certain elements of the original application, displaying only controlled elements like form fields and buttons to manipulate user actions.

JavaScript Manipulation

By using JavaScript instead of HTML alone, cyber-criminals can manipulate the user interface in various ways. For example, they may always place a button under the user’s cursor by embedding a malicious webpage in the browser, forcing users to unintentionally click.

iFrame Overlay

Attackers create malicious websites with two components: fake UI code and an iFrame overlay covering part of a legitimate application. This tactic tricks users into believing they are interacting with a legitimate application, leading them to take unintended actions.

Types of Clickjacking Attacks

Likejacking

Likejacking is a type of clickjacking attack specifically targeting social media platforms like Facebook. Attackers overlay deceptive elements on top of legitimate content, tricking users into unknowingly clicking on hidden “like” buttons. These clicks result in the user unintentionally endorsing or sharing malicious content on their social media profiles.

Cookiejacking

Cookiejacking involves exploiting vulnerabilities in web browsers to gain access to cookies stored on a user’s device. Cookies contain sensitive information such as session tokens and authentication credentials, allowing attackers to impersonate users and perform actions on their behalf on targeted websites.

Example:

An attacker exploits a browser vulnerability to access cookies stored on a user’s device. By obtaining the session token from the cookie, the attacker gains unauthorized access to the user’s account on a targeted website, allowing them to perform actions such as making unauthorized purchases or accessing sensitive information. Learn more about the web browser attacks and preventive measures.

Filejacking

Filejacking attacks exploit vulnerabilities in web browsers to gain unauthorized access to files stored on a user’s local file system. Attackers can steal sensitive files or upload malicious files to the user’s device, potentially compromising their privacy and security.

Cursorjacking

Cursorjacking is a clickjacking variant that involves hijacking and manipulating the cursor position to deceive users into clicking on hidden elements on a web page.

Password Manager Attacks

Password manager attacks target vulnerabilities in password management tools and exploit their auto-fill functionality to steal sensitive information. Attackers overlay deceptive forms or input fields on web pages, tricking password managers into auto-filling login credentials or other sensitive data.

The Consequences of Clickjacking

The effects of falling victim to clickjacking attacks can be severe, both for individual users and organizations:

Financial Loss: Clickjacking attacks can result in unauthorized transactions, fund transfers, or purchases, leading to significant financial losses for users.

Data Theft: Attackers can exploit clickjacking to steal sensitive information such as login credentials, personal data, or financial details.

Identity Theft: Clickjacking attacks may facilitate identity theft, enabling cybercriminals to impersonate users and execute fraudulent activities.

Reputation Damage: Businesses that fail to protect their users from clickjacking attacks risk damaging their reputation and losing the trust of their customer base.

Legal Consequences: Inadequate security measures and breaches resulting from clickjacking attacks may expose organizations to regulatory fines, lawsuits, and legal liabilities.

How to Prevent Clickjacking Attacks?

While clickjacking may seem harmless at first glance, it’s a serious threat. It’s not just a playful trick – it’s intended to harm. To protect your finances, customers, and brand reputation, it’s crucial to take steps to prevent these attacks.

Secure web applications from vulnerabilities to prevent unauthorized access. Opt for a managed WAF for round-the-clock defense, immediate vulnerability patching, and continuous threat monitoring, ensuring zero false positives.

The other measures to take to prevent clickjacking attacks are as follows:

Frame Busting

Implement frame-busting techniques in your web application to prevent it from being loaded within iframes on malicious sites. Frame-busting scripts can detect when a web page is being framed and break out of the frame, ensuring that your content is displayed in its intended context.

<script>
if (top !== self) {
top.location = self.location;
}
</script>

This JavaScript code snippet detects if the current window is being framed within another window. Once identified, it executes a breakout from the frame, ensuring the page is loaded in the top-level window, thus mitigating the risk of clickjacking.

X-Frame-Options Header

Set the X-Frame-Options HTTP header to deny or restrict iframe embedding on your web pages. By configuring this header, you can specify whether your content can be framed by other sites, reducing the risk of clickjacking attacks.

For example –
X-Frame-Options: DENY

Set the X-Frame-Options header to DENY to prevent the web page from being loaded in any iframe.

Three permitted values for the header are:

  • DENY: disallows any domain/ site to display the page within a frame
  • SAMEORIGIN: allows the current page to be displayed in a frame on another page, but only within the current domain
  • ALLOW-FROM *uri*: allows the page to be displayed only in a frame on the specified origins/ in a specified URL

However, the security provided by X-Frame options is limited and is ineffective in multi-domain sites.

Content Security Policy (CSP)

Implement a Content Security Policy (CSP) to control the sources from which your web content can be loaded. CSP allows you to define trusted sources for scripts, stylesheets, and other resources, limiting the ability of attackers to inject malicious content into your web pages.

<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'none';">

This meta tag sets a Content Security Policy (CSP) directive to restrict the framing of the web page to prevent clickjacking. The ‘none’ value indicates that the page should not be framed by any precursor pages.

JavaScript Event Handlers

Use JavaScript event handlers to detect and prevent clickjacking attempts. Monitor mouse movements and interactions to ensure that user actions originate from legitimate elements on the page, helping to identify and block clickjacking activity.

window.addEventListener('click', function(event) {
if (event.target !== event.currentTarget) {
// Check if the click event originates from a legitimate element
// Add logic to handle legitimate clicks
} else {
// Handle clickjacking attempts
alert('Clickjacking attempt detected!');
}
event.stopPropagation();
}, true);

This JavaScript code snippet adds a click event listener to the window object. It checks if the click event originates from a legitimate element on the page. If not, it alerts the user about the clickjacking attempt.

UI Redress Protection

Implement UI redress protection mechanisms to detect and mitigate attempts to manipulate the user interface. This can involve techniques such as verifying the visibility and positioning of UI elements to prevent them from being overlaid or obscured by malicious content.

/* Prevent overlapping of elements */
.legitimate-element {
position: relative;
z-index: 9999; /* Ensure the element is on top */
}

Use CSS to ensure that legitimate UI elements have a higher z-index value, making them appear on top of any potentially malicious elements. This prevents elements from being overlaid or obscured by clickjacking content.

Content Verification

Regularly audit and verify the content of your web pages to detect any unauthorized changes or overlays. By monitoring for unexpected modifications to the user interface, you can identify and address potential clickjacking vulnerabilities before they are exploited by attackers.

User Education and Awareness

Educate users about the risks of clickjacking and advise them to exercise caution when interacting with unfamiliar or suspicious web content. Encourage users to report any suspicious behavior or unexpected changes in the user interface to help identify and mitigate clickjacking attacks.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

AppTrana WAAP

Vinugayathri - Senior Content Writer
Vinugayathri Chinnasamy

Vinugayathri is a content writer of Indusface. She has been an avid reader & writer in the tech domain since 2015. She has been a strategist and analyst of upcoming tech trends and their impact on the Cybersecurity, IoT and AI landscape. She is an upcoming content marketer simplifying technical anomalies for aspiring Entrepreneurs.

Share Article:

Tags:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

What is Clickjacking?
What is Clickjacking?

Here’s a guide on the peril’s of clickjacking and how to strive towards prevention of such attacks to ensure that you do not lose money, customers and brand value.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!