Clickjacking is an attack that tricks the user into clicking on a web page element that is invisible or disguised as another element. This can cause users to unintentionally download malware, visit malicious web pages, provide credentials or sensitive information, transfer money or purchase products online.
- Domain – A domain for testing
- Programming – High programming skills
In this tutorial we will use hacking techniques, with the only purpose of learning. We do not promote its use for profitable or improper purposes. We are not responsible for any damage or impairment that may be generated in the systems used. The responsibility lies entirely with the user of this tutorial.
- Linux – High
- Programming – High
- Kali Linux – High
- Windows – Not applicable
- Networks – Bass
Overall Tutorial Level: High
Ideal for: Network engineers, Security engineers, Pentesters, etc.
What is clickjacking?
Typically, clickjacking is done by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user thinks they are clicking on the visible page, but in reality they are clicking on an invisible element on the additional page transposed on top of it.
The invisible page can be a malicious page or a legitimate page that the user did not intend to visit, for example, a page on the user’s banking site that authorizes the transfer of money.
There are several variants of the clickjacking attack, such as:
- Likejacking – a technique in which the Facebook “Like” button is manipulated, causing users to “like” a page that they did not actually intend to like.
- Cursorjacking – a user interface redirection technique that shifts the cursor from the user’s perceived position to another position. Cursorjacking is based on vulnerabilities in Flash and the Firefox browser, which have been fixed.
Example of clickjacking attack
- The attacker creates an attractive page that promises to give the user a trip to Tahiti.
- In the background, the attacker checks whether the user is logged into your banking site and, if so, loads the screen that allows the transfer of funds, using query parameters to insert the attacker’s bank details into the form.
- The bank transfer page is displayed in an invisible iframe above the free gifts page, with the “Confirm transfer” button exactly aligned above the “Receive gift” button visible to the user.
- The user visits the page and clicks on the “Book my free trip” button.
- In reality, the user is clicking on the invisible iframe, and has clicked the “Confirm transfer” button. The funds are transferred to the attacker.
- The user is redirected to a page with information about the free gift (without knowing what has happened in the background).
This example illustrates that, in a clickjacking attack, the malicious action (on the bank’s website, in this case) cannot be traced back to the attacker because the user performed it while legitimately logged into his own account.
There are two general ways to defend against clickjacking:
- Client-side methods – the most common is called Frame Busting. Client-side methods can be effective in some cases, but are not considered best practice, because they can be easily avoided.
- Server-side methods – the most common is X-Frame-Options. Server-side methods are recommended by security experts as an effective way to defend against clickjacking.
Clickjacking mitigation with the X-Frame-Options response header.
The X-Frame-Options response header is passed as part of a web page’s HTTP response, indicating whether to allow a browser to render a page within a <FRAME> or <IFRAME> tag.
There are three allowed values for the X-Frame-Options header:
- DENY – does not allow any domain to display this page within a frame
- SAMEORIGIN – allows the current page to be displayed in a frame of another page, but only within the current domain
- ALLOW-FROM URI – allows the current page to be displayed in a frame, but only at a specific URI – e.g. www.example.com/frame-page
Using the SAMEORIGIN option to defend against clickjacking
X-Frame-Options allows content publishers to prevent their own content from being used in an invisible frame by attackers.
The DENY option is the safest option, as it prevents any use of the current page in a frame. More commonly, SAMEORIGIN is used, as it allows the use of frames, but limits them to the current domain.
Limitations of X-Frame-Options
- To enable the SAMEORIGIN option on a web site, the X-Frame-Options header must be returned as part of the HTTP response for each individual page (it cannot be applied between sites).
- X-Frame-Options does not support a whitelist of allowed domains, so it does not work with multi-domain sites that need to display framed content between them.
- Only one option can be used on a single page, so, for example, it is not possible for the same page to be displayed as a frame on both the current website and an external site.
- The ALLOW-FROM option is not compatible with all browsers.
- X-Frame-Options is a deprecated option in most browsers.
Clickjacking test – Is your site vulnerable?
A basic way to test if your site is vulnerable to clickjacking is to create an HTML page and attempt to include a sensitive page from your website in an iframe. It is important to execute the test code on another web server, because this is the typical behavior in a clickjacking attack.
Use code like the following, provided as part of the OWASP Testing Guide:
<html> <head> <title>Clickjack test page</title> </head> <body> <p>Website is vulnerable to clickjacking!</p> <iframe src="http://www.yoursite.com/sensitive-page" width="500" height="500"></iframe> </body> </html>
View the HTML page in a browser and evaluate the page as follows:
- If the text “Website is vulnerable to clickjacking” appears and the content of your sensitive page is visible below, the page is vulnerable to clickjacking.
- If only the text “Website is vulnerable to clickjacking” appears, and the content of your sensitive page is not visible, the page is not vulnerable to the simplest form of clickjacking.
However, additional testing is needed to see what anti-clickjacking methods are used on the page, and whether they can be circumvented by attackers.
I hope you liked the post and I hope it helps you.