Nexix Security Labs
Clickjacking Attacks and How to Prevent Them
Clickjacking is a technique that deceives consumers into believing they are clicking on one thing while they are clicking on something else. The term "User Interface (UI) redressing" is a better description of what's going on. Users believe they are using the conventional UI of a web page, but in reality, a concealed UI is in charge; in other words, the UI has been redressed. The hidden UI performs a different action when consumers click something they believe is safe.
Clickjacking isn't the attack's end goal; it's just a way to get people to think they're doing something safe while they're actually doing something dangerous. The real attack can be anything that can be done through web pages. This can include criminal behaviors such as installing malware or stealing credentials, as well as more benign activities like increasing click counts on unrelated sites, increasing ad revenue on sites, increasing Facebook likes or increasing YouTube video views.
Types of Clickjacking Attacks
The attack may take on several names depending on the nature of the operation. Take a look at the following variations:
Likejacking: It is a type of attack that captures user clicks and redirects them to "likes" on a Facebook page or other social media network.
Cookiejacking: In this situation, the user is persuaded to interact with a user interface element, such as drag and drop, and provide the attacker with cookies stored on their browser. As a result, the attacker may be able to operate on behalf of the user on the target website.
Filejacking: In this form of attack, the user gives the attacker access to their local file system and allows the attacker to grab files.
Cursorjacking: This technique moves the cursor from where the user sees it to a different location. In this approach, the user feels they are performing one activity while actually performing another.
Password manager attacks: These attacks try to trick password managers into letting them use their auto-fill features.
Defenses against Cyberjacking
What are X-Frame-Options?
The X-Frame-Options HTTP header is another possibility. It allows an application to declare whether frame use is merely banned, as indicated by the DENY value, or whether frame use is permitted, as shown by the SAMEORIGIN and ALLOW-FROM values. This header option is supported by most current browsers, although it may not be supported by others.
X-Frame-Options that could be used:
X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/
What is Content Security Policy(CSP)?
Content Security Policy (CSP) and its frame-ancestors directives are the final and more current alternative for clickjacking defense. Similar to X-Frame-Options, this directive allows the application developer to ban all frame use or designate where it is allowed. CSP isn't supported by all browsers, and browser plugins and add-ons may be able to get around it. Browsers should favor CSP's directives if both the X-Frame-Options header and CSP frame-ancestors are utilized, but not all will.
CSP frame-ancestor options include:
Content-Security-Policy: frame-ancestors 'none' Content-Security-Policy: frame-ancestors 'self' Content-Security-Policy: frame-ancestors 'example.com'
Defense-in-depth is an excellent practice because none of these defenses are flawless, and there's nothing wrong with implementing all three on your website.
For more information visit us on: www.nexixsecuritylabs.com
To schedule an audit you can contact us at: email@example.com
Your Security | Our Concern