Privacy settings
We use cookies and similar technologies that are necessary to run the website. Additional cookies are only used with your consent. You can consent to our use of cookies by clicking on Agree. For more information on which data is collected and how it is shared with our partners please read our privacy and cookie policy: Cookie policy, Privacy policy
We use cookies to access, analyse and store information such as the characteristics of your device as well as certain personal data (IP addresses, navigation usage, geolocation data or unique identifiers). The processing of your data serves various purposes: Analytics cookies allow us to analyse our performance to offer you a better online experience and evaluate the efficiency of our campaigns. Personalisation cookies give you access to a customised experience of our website with usage-based offers and support. Finally, Advertising cookies are placed by third-party companies processing your data to create audiences lists to deliver targeted ads on social media and the internet. You may freely give, refuse or withdraw your consent at any time using the link provided at the bottom of each page.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Vulnerabilities

What is Clickjacking?

What is Clickjacking?

Progressed aggressors are persistently cultivating their systems to avoid region. Eventually, they can cover a clearly harmless site page with an immaterial layer containing noxious affiliations. This strategy for assault, known as clickjacking, could make you instigate your webcam or move cash from your record.

In this post, we design the various types of clickjacking assaults and disclose to you the most ideal approach to best guarantee yourself against this application security hazard.

Learning Objectives

What precisely is clickjacking, and how can it work?

clickjacking is a kind of assault wherein the misfortune taps on joins on a site they recognize to be a known, confided in site. Notwithstanding, unbeknown to the individual being alluded to, they are really tapping on a perilous, covered site overlaid onto the known site.

Sometimes, the snap appears, apparently, to be enough harmless. For instance, an aggressor covered as a marketing expert makes a post to get likes on a Facebook page—a structure known as likejacking. The snap could actuate more perilous action, for example, the unapproved download of malware, or can trigger a JavaScript code to turn on a webcam, gather passwords, or record keystrokes.

Cursorjacking is another variety of clickjacking. In cursorjacking, aggressors stunt clients by adding a custom cursor picture that puzzles misfortunes into tapping on pieces of the page they have no target of clicking. In further made clickjacking conditions, misfortunes accomplish some unique choice from click. They may even enter usernames, passwords, Visa numbers, and other individual data into what they recognize to be common areas they use routinely. Be that as it may, considering everything, their data is being scratched by a malignant, covered site.

Regardless called a client review interface assault, the term clickjacking was brought about by Jeremiah Grossman and Robert Hansen in 2008.

While clickjacking may seem like criticizing—in which the cyberattacker rehashes regions or spots of appearance with an extreme goal to fool clients into deduction the phony pages are the head, genuine pages—it is widely more refined. The site the misfortune is taking a gander at in a clickjacking plan is the authentic site of a known, confided in part. In any case, the assailant has added an ill defined overlay over its substance utilizing assorted HTML advances, including custom falling organizations (CSS) and iframe, which believe content from different objections to be ported onto another site.

how clickjacking work

Types of clickjacking

There two or three indisputable kinds of clickjacking assaults. Because of the open thought about the web and the proceeded with progresses in web systems and CSS, clickjacking assaults can wind up being astoundingly muddled.

  • Complete Transparent Overlay

Potentially the most prominent clickjacking system, this method overlays a true page over a harmful page. The legitimate page is stacked into a vague iframe, and the client thinks nothing about that a threatening page is under.

  • Hidden overlay

This could be different things, yet cursorjacking, alluded to above, is a model. In this system, the cyberattacker makes a moment iframe, perhaps as little as a 1x1 pixel, that can be masterminded under the mouse cursor and unobtrusive to the individual being alluded to. As requirements be, any snap will go to the mystery threatening page.

  • Cropping

Overseeing, which is trickier to program, happens when the cyberattacker overlays just picked controls from the vindictive page onto the genuine page. The aggressor could abrogate hyperlinks on the authentic page with diverts, dislodge the substance of gets on the real page with other language (along these lines dazing the individual being alluded to), or change the substance in a way that deceives the client.

  • Click event dropping

Snap event dropping may be an even more clear assault to a client. In this strategy, the aggressor sets the CSS pointer-occasions property to none, which means clicking will appear to do nothing on the page. Be that as it may, if all else fails, the snaps are chipping away at the malignant page under. Clients should alarm the site executive when their kept tapping on the site's gets or affiliations doesn't work.

  • Rapid substance replacement

For more present day cyberattackers with essential fitness in client experience and lead, fast substance substitution can be a stunning framework. In this game plan, overlays are masked, cleared out for a little piece of one second to enroll a tick, and some time later quickly dislodged. With the current situation, the client probably won't see that they are tapping on a possibly destructive catch or affiliation in light of the fact that the article dissipates so rapidly.

Close to utilizing insert overlays, there are substitute ways aggressors can fool clients into clicking out of nowhere threatening substance.

  • Scrolling

In the current situation, the cyberattacker makes a genuine exchange box or spring up with a catch somewhat off the screen. The gets go to the pernicious page under, at any rate the case shows up as an innocuous brief. The test for assailants in utilizing this technique is that the misfortune might have a headway blocker or spring up blocker introduced on their program. The aggressor should figure out some approach to dodge this. (Fake advertisement blocker developments are one more sort of cyberattack).

  • Drag-and-drop

This is a clickjacking strategy that requires the client to accomplish some unique choice from click. The misfortune should adjust plans or play out another development. The website architectures may take after those of the real page, yet when clients balance the fields, the information is gotten by the cyberattacker through the perilous page under. The objective, moreover correspondingly similarly as with any cyberattack, is to get individual or fragile data without the mishap's information.

Because of the dynamic, inventive nature of the web, including new JavaScript systems, cyberattacks like clickjacking will keep copying. Misfortunes will keep being fooled into performing astonishing activities on districts that appear, apparently, to be muddled from protests they have utilized in advance. In that breaking point, clickjacking may be hard to perceive, at any rate in immense relationship, as specialists and clients collaborate with the affiliation's web properties at scale, odd snap lead ought to be addressed and returned again to rapidly to obstruct a cyberattack.

  • Repositioning

This is a sort of speedy substance substitution assault, in which the cyberattacker rapidly moves a confided in (UI) part while the client is spun around another piece of the site page. The pondering is to have the misfortune surprisingly click the moved portion instead of zeroing in on inspecting, researching, or clicking some different option from what's generally anticipated on the page. Practical leaps or upgrades ought to be clear to most clients, and when this happens, the agent should tell the site chairman and security pack.

Differences with CSRF

A close inspection of CSRF and Clickjacking loopholes can make one wonder if they are the same as they both share great similarities. For instance, they both involve directing the target to a forged website or webpage. They both share the same aim, duping the target into stealing money or data. However, they are quite different from each other. 

A major distinction can be made on the basis of who is the actor in the process.

In CSRF, the browser takes all the actions, while clickjacking forces end-users or the target to take actions that will lead to a successful attack. The prospective victim will be in direct contact with the malicious websites. The hacker sits back and waits for actions to be completed.

A simple example of clickjacking

Clickjacking assaults use CSS to make and control layers. The aggressor joins the objective site as an iframe layer overlaid on the interference site. A model utilizing the style tag and cutoff points is as per the going with:


<head>
    <style>
    #target_website {
        position:relative;
        width:128px;
        height:128px;
        opacity:0.00001;
        z-index:2;
    }
    #decoy_website {
        position:absolute;
        width:300px;
        height:400px;
        z-index:1;
    } 
    </style>
</head>
<body>
    <div id="decoy_website">
        ...bait web content here... 
    </div> 
    <iframe id="target_website" src="https://defenseless website.com"></iframe>
</body>

The objective site iframe is masterminded inside the program so that there is a cautious get over of the objective development with the fake site utilizing fitting width and stature position respects.

Total and relative position respects are utilized to guarantee that the objective site precisely covers the pantomime paying little notification to screen size, program type and stage. The z-record picks the stacking requesting of the iframe and site layers. The obscurity see is depicted as 0.0 (or close 0.0) so that the iframe content is immediate to the client.

Program clickjacking affirmation may apply limit based iframe straightforwardness recognizing confirmation (for instance, Chrome structure 76 unites this lead yet Firefox doesn't). The assailant picks duskiness respects so the ideal impact is refined without setting off insurance practices.

example of clickjacking

Examples of Clickjacking in real life

Being a very common technique that hackers of all sorts use to deceive the target, clickjacking can be used alone or as a part of an extensive attack strategy. Either way, it’s successful to fool victims. In fact, it was used in several successful attacks previously too.

We bring you the most famous clickjacking examples from the real world.

  1. Example #1 - Paypal was featuring a vulnerability that could lead to clickjacking

The money transfer service of PayPal was diagnosed with a potential vulnerability that was ideal for a clickjacking attack. A security researcher spotted this in 2022. If exploited by ill-intended personnel, the vulnerability can help end-users to trick the end-user and transfer the money to someone else’s account. 

For seasoned hackers, it was not tough to make this vulnerability work for them. All they need to do is insert a corrupted endpoint in the iframe. By doing so, hackers will be able to direct any fund transfer to the account of their choice.

Further research revealed that this vulnerability was capable of funds transfer redirecting on all the platforms that were using the PayPal accounts as 3rd party money transfer service. This was a serious security concern for end-users.

  1. Example #2 - Sypeng malware was causing much of troubles

Sypeng was a very notorious malware that went viral in 2017. Even though it came into being in 2013, it caused the maximum trouble in 2017 as it caused a couple of clickjacking attacks. The malware was designed to steal only banking-related data. It was compatible with Android devices online and was delivered via unverified apps.

When any Android user used to download such an app from the Playstore, the malware would become active and clickjack the targeted users’ data. But, this wasn’t the only security concern it gave birth to. In some cases, the malware managed to penetrate up to the Administrator level and started using the privileges. 

After reaching this level, the malware managed to control the overlay screen, auto-send SMS text messages, access saved contacts, and even make random calls.

The malware was so technically sound that it used to capture the screenshots of the actions done and auto-share them with the threat actors.

For this job, the malware took the help of a command-and-control server. This server remained in the control of the threat actor involved. As only banking data was involved and the malware was able to access the text messages, there was a risk of leading to the banking-related OTP details. 

The malware was so powerful that it took only one week to spread out its wings in more than 23 countries, which made it utterly viral.

  1. Example #3 - Facebook Clickjacking Bug (2018)

In December 2018, a security professional found out that an unauthorized user posted on someone's wall without actually asking for the same. 

The scam required the victim to click a comic site's link, where he was asked to confirm his age. After successful confirmation, the victim can post the comic site. However, this confirmation could also result in posting about the same on the victim's wall. The reason for this bug is that the XFO response header is not set upon a mobile FB user logs into the site.

The interesting part is that the Facebook bug bounty team didn’t count this vulnerability as a privacy/security threat. So, the issue might still be persisting. 

If you are an FB user and want to guard against such scams, it is better to avoid clicking suspicious links. Or, if it's a legit-looking link, then too, you must copy the link, analyze it, and then use it.

How can I prevent clickjacking?

Fortunately, there several phases that a connection can take to get its workers, clients, and different accessories from a clickjacking assault. These insurances are commonly tried by the web progress bundle, as they are worker driven and require some coding and information on the worth of the web.

  • Prevent Framing

A blueprint can be set up to impede delineating or the republishing of the site page's substance in a HTML holder on another page. This is known as a Content Security Policy (CSP), which can fill in as the central guardian in the assumption for a clickjacking assault. The CSP basically allows just certain web assets, as JavaScript and CSS, that the customer program can apply.

  • X-Frame-Options

Regardless called a X-Frame-Options, this technique depends upon the reaction header—or code used to show whether a program ought to be permitted to pass on a page in a bundling, as an expansion, or as a thing—when site pages are pushed through the program. The header gives the site manager request over the utilization of iframes or things. With this additional code in the header of a site page, the site manager can pick whether the circuit of a site page inside an edge can be obstructed.

X-Frame was first made for Internet Explorer 8, and it isn't reliable across all tasks. The web progress social occasion ought to consider this while executing X-Frame-Options.

When utilized together, a CSP and X-Frame-Options can fill in as a solid insurance from against a clickjacking assault.

  • Add Framekiller to site

A framekiller, regardless called a framebuster or framebreaker, looks like the X-Frame Option and is a piece of JavaScript code that keeps portions of a site page from being stacked into and shown in a bundling. The JavaScript code upholds whether the current window is the fundamental window. If it isn't the fundamental window, the page is deterred from being shown.

  • Content Security Policy (CSP)

Content Security Policy (CSP) is a region and revultion structure that gives balance against assaults like XSS and clickjacking. CSP is routinely executed in the web worker as a return header of the plan:

Content-Security-Policy: technique

where framework is a line of procedure orders confined by semicolons. The CSP gives the customer program data about allowed wellsprings of web assets that the program can apply to the affirmation and impedance of poisonous practices.

The embraced clickjacking attestation is to consolidate the edge models order in the application's Content Security Policy. The edge begetters 'none' demand is close in direct to the X-Frame-Options deny request. The edge precursors 'self' demand is broadly like the X-Frame-Options sameorigin request. The going with CSP whitelists edges to a tantamount space so to speak:

Content-Security-Policy: design harbingers 'self';

Of course, showing can be confined to named regions;

Content-Security-Policy: design precursors common website.com;

To be staggering against clickjacking and XSS, CSPs need watchful turn of events, execution and testing and ought to be utilized as a component of a multi-facet screen system.

  • Install program expansions

Some web programs have additional things that keep scripts from running once there is a Hypertext Transfer Protocol (HTTP) demand. With the substance halted abruptly, the cyberattacker's code can't be executed. This is a customer side technique and expects that laborers should introduce an extra on their program. For added assurance, they should introduce the extra on the total of their gadgets.

  • Frame busting scripts

Bundling busting scripts keep your site away from working inside a bundling. Through Javascript additional things, you can show how a program ought to respond when your page is stacked in an edge.

An ordinary bundling buster strategy is to compel the program to reload the offset interference site page at the top window. Along these lines, the pantomime site is stacked on top of the noxious iframe layer.

This development can be prompted with the going with lines of Javascript:


<script>
    in the event that (top != window) {
        top.location = window.location;
    }
</script>

This safeguard can, notwithstanding, be handily stayed away from. The assailant could obstruct the constrained reload endeavor with the going with lines of Javascript:


<script>
    window.onbeforeunload = work() {
        return bogus;
    };
</script>

Another way design busting substance can be stayed away from is by utilizing the HTML 5 iframe sandbox quality.

Here's an outline of the Javascript code:


<iframe id="decoy_webpage" src="https://pantomime website.com" sandbox="allow-scripts award structures permit same-origin"> </iframe>

By obstructing the award top-course trademark, the iframe containing the fake page can't be stacked on top of the ill defined page. With this guard set up, the assailant can allow the program to run scripts and submit structures.

Edge busting scripts are not a proposed secure against clickjacking assaults. Various web programs block format busting Javascript code and the undertakings that don't can be accommodatingly dumbfounded to allow the threatening overlay.

An appraisal by the Standford Web Security Group follows the clickjacking inadequacies of edge busting techniques.

How to add a frame-ancestors directive to your site?

Frame-ancestor is a viable tool to mitigate clickjacking risks and keep the target safe. As a component of CSP (or the Content Security Policy), it is famous for keeping clickjacking and XSS attacks at bay. The approach is useful to have control over content embedding by introducing the iframe or object. 

It’s an HTTP-based response header that is used to figure out permissible dynamic resources for bearing the loads. CSP takes the requested source into consideration for this. When using a clickjacking prevention method, CSP involves replacing the X-Frame-Options directive.

However, this solution won’t work in every browser. You have to give it a try to find out whether the browser you use generally is supportive of this prevention technique.  

Follow the below-mentioned steps to introduce frame ancestors in the directives.

For Apache

  • Step #1: Begin with enabling the mod_headers with the help of the ‘sudo a2enmod headers’ command.
  • Step #2: Enter the‘ sudo service apache2 restart’ command to restart Apache.
  • Step #3: Next, you must edit one of these two, httpd.conf and apache.conf, so that frame-ancestors can be easily introduced.
  • Step #4: Use the ‘frame-ancestors 'none’;’ command to direct header set content to reject inputs from every source.
  • Step #5: Now, only allow self-source inputs with the help of theframe-ancestors 'self';’ command.
  • Step #6: Permit the inputs from specific domains via ‘frame-ancestors ex_1.com ex_2.com ex_3.com;’
  • Step #7: Permits self and specified domains header set with the help offrame-ancestors 'self' ex_1.com ex_2.com ex_3.com;’ command.
  • Step #8: Lastly, restart the Apache to auto-apply the changes made. You will need the ‘sudo service apache2 restart’ command for this action to take place.

For Nginx

The frame-ancestors directive can be easily introduced by editing the concerned website’s configuration file. Below-mentioned the steps will make it done.

  • Step #1: First, deny all the sources using the “add_header set Content-Security-Policy: frame-ancestors 'none';” command.  
  • Step #2: Permit only self source using the “add_header set Content-Security-Policy: frame-ancestors 'self';”
  • Step # 3: Use the add_header set Content-Security-Policy "frame-ancestors ex_1.com ex_2.com ex_3.com;’ command to permit inputs from specific domains.
  • Step #4: Direct Nginx to use self and specified domains. You can make it happen using theadd_header set Content-Security-Policy "frame-ancestors 'self' ex_1.com ex_2.com ex_3.com;’ command.
  • Step #5: To auto-apply the edits and save them for the future restart of the Nginx with the help of the ‘sudo service nginx restart’ command.
FAQ

Subscribe for the latest news