Clickjacking, also referred to as UI redressing, is a malicious technique of tricking a user into clicking something different from what the user actually perceives. The user clicks on seemingly harmless objects, but actually they are a trap and are something completely different. Using clickjacking, sensitive information of the victim can be exposed, also the attacker can take control over your computer. The attacker redresses the malicious UI into something completely different that looks harmless, that is why clickjacking is also referred to as "UI Redressing"
Clickjacking is an instance of the confused deputy problem in which the user is tricked into thinking that a malicious object is harmless, by disguising the malicious object. The users are then tricked and made to click the malicious objects that trigger malicious actions. Their is a privilege escalation of the attacker when the victim clicks the malicious object. Clickjacking is used for a plethora of web attacks, like CSRF. Clickjacking is performed on the attacker-maintained website, so a clickjacker can only harm a user and not a server.
- The attacker could disguise a money transfer form into something else, and when the user enters his data, the money transfer would occur, thus causing the victim a loss.
- The attacker could disguise a malicious ad link as the play button on a video and direct you to an ad.
Clickjacking has a lot of categories which are as follows:
Classic clickjacking is a situation when an attacker uses hidden layers on web pages to manipulate the actions of the user's cursor, resulting in the clicking of a malicious element.
Likejacking is a malicious technique of tricking victims viewing a website to like a post on a website, which they really didn't intend to like.
Nested clickjacking works by embedding a malicious web frame between two frames of the original, harmless web page - which is the framed page and the page which is displayed on the top window. Nested clickjacking works due to a vulnerability in the
X-Frame-Options HTTP header. When the
X-Frame-Options header has the value
SAMEORIGIN, the web browser checks the two layers which are harmless and does not check the malicious layer in between, thus enabling the attackers to exploit the vulnerability.
CursorJacking is a type of UI Redressing which makes the user perceive that the cursor is at some other location than its original location. The attacker hides the actual mouse cursor on his website and makes a cursor on the website which looks like the original cursor.
MouseJack is a wireless hardware-based vulnerability which allows the attacker's keyboard input to be injected into vulnerable dongles.
Browserless clickjacking is a technique to replicate classic clickjacking in programs which do not run in a web browser. Browserless clickjacking is prevalent among Android devices, especially due to the way pop-up notifications work. The pop-up notifications have a small delay in between the moment the notification is requested and the moment the notification is actually displays on-screen. The attackers use this small delay to create a dummy button that lies underneath the actual notification, and it can be clicked upon.
CookieJacking is a form of clickjacking in which cookies are stolen from the victim's web browser. This is performed by tricking the user into performing a task on the malicious website(usually dragging an element) which perceives to be harmless. When the user performs the action, the user unknowingly is selecting the cookie content and sending it to the attacker. The attacker can then perform a CSRF attack and impersonate the user on the website.
FileJacking is a technique using which the attackers use the web browser's capability to navigate through the computer and access the computer files in order to acquire personal data. This is performed by tricking the user into establishing an active file server through the file and folder selection window that browsers use. With this, attackers access and take files and personal information from their victim's computers.
Password manager attack is an attack in which some password managers insecurely autofill passwords for the http version of https-saved passwords, these password managers also sometimes fill in the data in iFrames. Most password managers do not protect against iFrame and redirection-based attacks and exposed additional passwords where password sync had been used on multiple devices. Browsers are safe and do not autofill data, like password managers do. Browsers do not autofill data if the protocol on the current login page is different from the protocol at the time the password was saved. Browsers also don't autofill data in iFrames.
There are both client-side as well as server-side measures to prevent clickjacking.
Clickjacking can be reduced on the client side by installing some plugins in browsers like NoScript, NoClickJack and GuardedID.
There are various server-side ways to protect your users from clickjacking on your website.
<iframe security=restricted> element. This is a design issue in IE.
X-Frame-Options is a HTTP header that can be used to indicate whether or not a particular website should be allowed to render a page in an iFrame, etc. Websites can use this to avoid clickjacking attacks as it ensures that a website's content is not embedded into other sites.
X-Frame-Options provide only partial security against clickjacking because the header will only be in effect if the user's browser supports it. You can allow certain website to embed your webpage on their website by specifying it, you can also allow the same origin web pages to embed a web page.
frame-ancestors directive of the HTTP CSP(Content-Security-Policy) specifies valid elements that are allowed to embed a page using iFrames etc. This is similar to the
X-Frame-Options and its values are also similar to the values of
X-Frame-Options. The only difference is that
X-Frame-Options header just checks top-level document location that is the website URL whereas the
frame-ancestors directive checks each ancestor(parent), if the ancestor does not match with what is defined in the CSP, the load of the frame is cancelled. Also the CSP obsoletes(out fashions) X-Frame-Options header, if both the directives are specified on a web page, CSP is given the priority and the
X-Frame-Options header is ignored.