sachindra149 profile image sachindra@work ・2 min read

Clickjacking refers to any attack where is user is tricked into clicking any unexpected web element unintentionally. It is a malicious practice in which the attacker tricks a user to click on another webpage who actually clicks on another page. This technique is mostly used for websites or web pages by overlaying malicious content over a trusted webpage or by placing a transparent element or an entire page over a visible one.

The attacker injects an html element/code with an iframe into the webpage. Suppose you are checking your email and all of a sudden you get a popup saying "You have won an iPhone. Click here to claim." But below this overlay there can be commands to delete all the emails from your inbox, or send an email to someone. It can be a command to shut down your computer or to access private files or to alter your system files. This is also rampant on Android phones. This is also called a UI Redress attack.

Majority of Clickjack attacks exploit the code vulnerabilities related to the use of HTML iframes and protection methods that revolve around its prevention.
To prevent this attack, all prevention methods aim to block framing as most of these attacks involve HTML iframe tag. While legacy solutions use client-side scripts to break pages out of frames, most modern and secure approaches rely on HTTP security headers to specific framing policy:

1) Framebursting: This involves usage of some JS code snippets. The code simply checks top.location to make sure its the current page, if not top.location was set to self.location. But these scripts can easily be blocked or bypassed. This method only provides rudimentary protection for legacy browsers. OWASP recommends that we hide the entire body of the document and show it only once we verify that the page is not framed.

2) X-Frame-Options: The best solution is to use the X-Frame-Options(XFO) HTTP response header in server responses. This is used to specify if a page can be embedded in a iframe, embed or object element. The header supports three possible directives: sameorigin, to allow framing only by pages of the same origin; deny, not to allow any such frames; or allow-from to specify any specific targets.

3) Content-Security-Policy with frame-ancestors: it also provides a frame-ancestors directive for specifying sources that are permitted to embed a page (in a frame, iframe, object, embed, or applet element).

The X-Frame-Options HTTP header is still the most universal way of increasing general website resilience, eliminating not just typical clickjacking attempts, but also a host of other vulnerabilities


Editor guide