Clickjacking (UI Redressing )

Description

Clickjacking is a technique used by hackers to trick the user into clicking on a hidden element of some other website, Which may result in downloading malware, visiting a malicious webpage, or doing unintended things.

Generally, Clickjacking is done by loading the target website inside a hidden or transparent iframe. This transparent iframe is loaded on top of the existing webpage, so the user will only see the existing page. Still, when clicking on some elements like button, link, actually victim click on the target site, which may have significant consequences.

Example

Consider an example; You received a mail saying You win special lucky draw...Visit to claim.

Then you visit that site, which looks like a lucky draw website. Then there may some element to trick you into clicking on it, like Spin and win!

spin to win!

You will click on it to win, but an attacker may load some malicious or unintended site and click on it!

Impact

  • Users may visit a malicious page.
  • Users may do the unintended transaction.

Prevention

  • Use Header x-frame-options: SAMEORIGIN which will avoid yoursite.com loaded as iframe on any other domain.
  • Use Header Content-Security-Policy(This is updation x-frame-options)
    • Content-Security-Policy: frame-ancestors 'none'; Use this if you are not using iframe anywhere.
    • Content-Security-Policy: frame-ancestors 'self'; Iframe is possible only on same site.
    • Content-Security-Policy: frame-ancestors 'self' *.ourothersite.com Iframe is possible only on same site and ourothersite.com.

How to check if your site is vulnerable to Clickjacking?

  • Create HTML page as below

    <html>
    <head>
    <title>Clickjack test page</title>
    </head>
    <body>
    <p>Website is vulnerable to clickjacking!</p>
    <iframe src="https://yoursite.com" width="500" height="500"></iframe>
    </body>
    </html>
    
  • Then replace yoursite.com with you website domain, Save it.

  • Open html page in browser and see if your website is loading there?

    • Yes? ==> Your Website is vulnerable to Clickjacking.
    • No? ==> Your website is safe from Clickjacking.