What is ClickJacking?
Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a docoy website.
HISTORY:
In 2002, it had been noted that it was possible to load a transparent layer over a web page and have the user's input affect the transparent layer without the user noticing.
In 2008, Jeremiah Grossman and Robert Hansen had discovered that Adobe Flash Player was able to be clickjacked, allowing an attacker to gain access of the computer without the user's knowledge.
Later the term "clickjacking" was introduced by Jeremiah Grossman and Robert Hansen, a portmanteau of the words "click" and "hijacking."
Clickjacking attack
Firstly attacker creates an attractive page which promises to give the user a free stuffs(eg : you have won a trip to Maldives).
In the background the attacker checks if the user is logged into his banking site and if so, loads the screen that enables transfer of funds, using query parameters to insert the attacker’s bank details into the form.
The bank transfer page is displayed in an invisible iframe above the free stuff page, with the “Confirm Transfer” button exactly aligned over the “Receive Gift” button visible to the user.
The user visits the page and clicks the “Book My Free Trip” button.
In reality the user is clicking on the invisible iframe, and has clicked the “Confirm Transfer” button. Funds are transferred to the attacker.
The user is redirected to a page with information about the free gift (not knowing what happened in the background).
IS YOUR SITE IS VULNERABLE TO "CLICKJACKING"?
A basic way to test if your site is vulnerable to clickjacking is to create an HTML page and attempt to include a sensitive page over your website in an iframe. If th website is not letting you to overlay a page then you are safe.
Also there are some website which provide you with the clickjacking test ex: clickjacker.io which will tell you is your site is vulnerable to clickjacking or not.
Defence:
As a website or web application owner, you must make sure that your web assets cannot be used in a clickjacking attack. You may use several techniques for that purpose. You can also use several of them together to ensure full coverage.
Vulnerable applications: When there are vulnerabilities in the application itself such as with the Adobe Flash Player plug-in, the attackers can gain access to the hardware attached such as the camera and microphone.
Transparent pages:The cyber-attacker uses vulnerabilities on the browser to embed a page that is already authenticated by the user to a malicious web page controlled
So, the attacker can selectively make some parts of the original application invisible and show the user only controlled elements like form fields, buttons, and tabs that they want the user to click.
JavaScript button: When only HTML is used, some functionalities may not be possible. So, by using JavaScript instead of the only HTML, the cyber-criminals can manipulate the User Interface (UI) in myriad ways. For instance- placing a button under the user’s cursor at all times by embedding a malicious webpage on the browser so that the users are forced to make the click.
iFrame Overlay: The malicious website of the attacker contains 2 parts: a code to generate fake UI and an iFrame overlay to cover a portion of the legitimate application. The cyber-criminal can make the user believe that they are using a legitimate web application by using these iFrame overlays and trick them into taking any desired action.
PREVENTIONS BY USER:
The one and only solution for the problem is do not click on links which seems to be malicious 😅
Top comments (0)