Clickjacking is a type of attack that tricks a user into clicking a website element that is either invisible or disguised as another element. This hijacks a user’s click meant for one thing but leads to another.
For example: instead of clicking a button to reply, a clickjacking attack on a Twitter user can make them re-tweet a malicious domain to followers instead. This is typically seen as a browser security issue. However, such an attack can also take place in mobile applications.
Understanding the concept of clickjacking
Clickjacking is an attack that tricks users into thinking they are clicking on one thing when in fact, they are clicking on something else. Essentially, unsuspecting users believe they are using a web page’s usual user interface when in reality, attackers have imposed a hidden user interface instead.
When users click on buttons they think are safe, the hidden user interface performs a different action. This can cause users to inadvertently download malware, provide credentials or sensitive information, visit malicious web pages, transfer money, or purchase products online.
There are different variations of clickjacking attacks and because of that, the terms ‘user interface (UI) redressing’ or ‘UI redress attacks’ are often used to encompass different variations.
Also known as a user redress interface attack, the term clickjacking was coined by Jeremiah Grossman and Robert Hansen in 2008.
While clickjacking might seem like spoofing—in which the cyber attacker recreates websites or landing pages to trick users into thinking the fake pages are the original, legitimate pages—it is much more sophisticated. The website the victim is looking at in a clickjacking scheme is the real website of a known, trusted entity.
However, the attacker has added an invisible overlay over its content using various HTML technologies, including custom cascading style sheets (CSS) and iframe, which allow for content from other websites to be ported onto another website.
How clickjacking works
Clickjacking is possible because of HTML frames or iframes – i.e., the ability to display web pages within other web pages through frames. Essentially, an iframe is a frame within a frame. Iframes enable you to embed content from other sources onto your web pages.
For example, when you visit a website that has an embedded YouTube video displayed, that video exists within an iframe. This creates a clickjacking e. If a web page can be displayed within a frame, attackers can cover the original web page with a hidden, transparent layer with its own JavaScript and UI elements. The outward appearance of the web page remains unchanged, which means users have no reason to suspect anything might be amiss.
Users then navigate the web page, expecting links and buttons to work normally. But the hidden UI means the attacker’s script works instead. The attacker’s script can work behind the scenes to make it appear as though nothing is wrong. This makes a range of malicious actions possible, including:
- Installing malware
- Stealing credentials
- Activating your webcam or microphone
- Making unsolicited purchases
- Authorizing money transfers
- Identifying your location
- Boosting click stats on unrelated sites
- Boosting ad revenues on sites
- Gaining likes on Facebook or increasing views of YouTube videos
Also, remember that clickjacking isn’t just about mouse clicks. Using a combination of stylesheets, text boxes, and iframes, an attacker could fool an unsuspecting user into thinking they are typing in their password on their online banking site, when in fact they are typing it into a site controlled by the attacker.
As with other forms of cybercrime, clickjacking attacks often rely on some form of social engineering to direct the targets to the compromised or malicious site. This might be an email, a text message, a social media post, and so on.
Types of clickjacking attacks
Complete transparent overlay
Perhaps the most common clickjacking strategy, this method overlays a legitimate webpage over a malicious page. The legitimate page is loaded into an invisible iframe, and the user has no idea that a malicious page is underneath.
Cursorjacking
Cursorjacking changes the user’s cursor position to a different place from where the user perceives it. A typical cursorjacking attack replaces the actual cursor with a fake one, using an image, and offsets it from the location of the real cursor. As a result, the user believes they are making a particular action while they are really making another one.
When the victim clicks an intended element with the fake cursor, the actual cursor clicks a malicious element. The real cursor may remain visible in a cursorjacking attack, although efforts are made to focus the victim’s attention on the fake one.
Cookiejacking is a UI redress attack that steals the victim’s cookies. Once the attacker obtains the cookies, they can access the information they contain and use it to impersonate the victim. This is typically achieved by tricking the victim into dragging and dropping an element on the page. What they are actually doing is selecting the contents of their cookies on the embedded invisible page and handing that over to the attacker.
The attacker can then perform actions on the target website on behalf of the user.
Drag and drop
This is a clickjacking strategy that requires the user to do more than just click. The victim will need to fill out forms or perform another action. The web forms might look like those of the legitimate page, but when users fill out the fields, the data is captured by the cyber attacker via the malicious page underneath. The goal, as with any cyberattack, is to obtain personal or sensitive information without the victim’s knowledge.
Due to the dynamic, innovative nature of the web, including new JavaScript frameworks, cyberattacks similar to clickjacking will continue to proliferate. Victims will continue to be tricked into performing unexpected actions on websites that seem identical to sites they have used before.
As such, clickjacking might be difficult to detect, but in large organizations, as employees and customers interact with the company’s web properties at scale, odd click behavior should be reported and acted upon quickly to thwart a cyberattack.
Filejacking
Filejacking allows the attacker to access the victim’s local file system and take files. For example, when you upload a photo to social media, a file browser window appears and you can navigate your file system. In a filejacking attack, clicking the ‘Browse Files’ button (or however your browser labels it) establishes an active file server.
This potentially gives the attacker access to your entire file system.
How to prevent clickjacking attacks
If you wanted to measure the vulnerability of your website before implementing clickjacking defenses. refer to this OWASP clickjacking cheat sheet.
Clickjacking mitigation can be achieved on both the client side and the server side. Let’s discuss the options for both scenarios.
Client-side clickjacking prevention
Client-side clickjacking prevention isn’t as effective as server-side prevention tactics. These methods should be implemented as a secondary option.
1. Frame-busting scripts
Frame-busting scripts prevent your website from functioning inside a frame. Via Javascript add-ons, you can specify how a browser should react when your page is loaded in a frame.
A common frame-buster technique is to force the browser to reload the offset decoy web page at the top window. By doing so, the decoy website is loaded on top of the malicious iframe layer.
This action can be prompted with the following lines of Javascript:
This defense can, however, be easily circumvented. The attacker could block the forced reload attempt with the following lines of Javascript:
Another way to circumvent frame-busting is by using the HTML 5 iframe sandbox attribute. Here’s an example of the Javascript code:
By omitting the allow-top-navigation attribute, the iframe containing the decoy web page cannot be loaded on top of the invisible page. With this defense in place, the attacker can permit the browser to run scripts and submit forms.
Frame-busting scripts are not a recommended defense against clickjacking attacks. Many web browsers block frame-busting Javascript code and the browsers that don’t can be easily tricked to permit the malicious overlay.
A study by the Standford Web Security Group outlines the clickjacking vulnerabilities of frame-busting methods.
2. Install browser extensions
Anti-clickjacking browser extensions don’t provide the best user experience because they disable all the javascript on loaded websites. Many popular websites like Facebook, Twitter and YouTube run on Javascript, and these extensions will impede their functionality.
To maintain the Javascript experience on trusted sites, you would need to manually specify a whitelist
Here’s a list of Javascript-blocking add-ons for different browsers
Chrome
Scriptsafe is an extension for Chrome.
Mozilla Firefox
NoScript is a Mozilla Firefox browser add-on.
Safari
JS Blocker is a Safari browser extension.
Microsoft Edge
Javascript Toggle ON and Off is an add-on you can install on Microsoft Edge.
DuckDuckGo
Duckduckgo doesn’t have a Javascript-blocking add-on you can install, but they do offer an alternative browser specifically developed to block Javascript websites. You can access this browser here.
Internet Explorer
To disable Javascript on Internet Explorer, follow this process:
- Select the gear icon in the top right corner or press ALT+X
- From the drop-down menu select ‘Internet options’
- Click the ‘Security’ tab
- Click ‘custom level’
- Under ‘Active Scripting’ select ‘Disable-ON’
- Select ‘Yes’ to confirm
Server-side clickjacking prevention
Many clickjacking attacks occur on duplicates of legitimate websites. An attacker could clone your website and weaponize it with hijacked links hidden on top of it. Besides the devastating consequences for users, your business could suffer irremediable reputation damage.
You need to, therefore, ensure that none of your web pages can be wrapped in a or