Clickjacking
Clickjacking, also known as "UI redress attack" or "user-interface redress attack," is a malicious technique used by attackers to trick users into clicking on something different from what the user perceives they are clicking on. This technique was first reported by Robert Hansen and Jeremiah Grossman at Black Hat Briefings in 2008. Here's an in-depth look at this security vulnerability:
Mechanism
The core of clickjacking involves:
- Overlaying: Attackers overlay transparent or invisible layers on top of legitimate web pages. These layers can include clickable elements like buttons or links.
- Deceptive UI: The visible content of the page is designed to lure users into clicking where they think they're interacting with the intended site, but they are actually interacting with the hidden layer.
Examples of Clickjacking Attacks
- Likejacking: Users are tricked into clicking "Like" buttons on social media, leading to unintended endorsements or spreading malicious content.
- Cursorjacking: Manipulating the cursor's appearance or behavior to mislead the user about where they are clicking.
- Formjacking: Overlaying a fake form over a real one to steal user input, often used to capture sensitive information like login credentials.
Defenses Against Clickjacking
Several techniques have been developed to mitigate the risk of clickjacking:
- Frame Busting: Scripts that prevent a page from being iframed. However, these can be bypassed if the attacker uses X-Frame-Options.
- X-Frame-Options: A HTTP response header that can specify whether or not a browser should be allowed to render a page in a iframe. Options include 'DENY', 'SAMEORIGIN', and 'ALLOW-FROM uri'.
- Content Security Policy (CSP): Using directives like 'frame-ancestors' in CSP to control which domains can embed a resource.
- User Awareness: Educating users about the dangers of clicking unknown or suspicious content.
Historical Context
Since its discovery:
- Clickjacking has become a recognized threat in web security, leading to widespread adoption of protective measures.
- Modern browsers have implemented features to help defend against clickjacking, such as the ability to interpret and enforce the X-Frame-Options header.
- The development of HTML5 and its security features like sandboxing has provided additional layers of protection against these attacks.
Current Landscape
Today, while clickjacking remains a concern:
- Most major websites and web applications implement some form of protection.
- New attack vectors continue to evolve, requiring ongoing vigilance and adaptation of security practices.
External Links
Related Topics