Clickjacking - Click to Hijack

What is it?

“Clickjacking” also known as "UI redress attack", is a malicious technique that consists of deceiving a web user into interacting (in most cases by clicking) with something different to what the user believes they are interacting with.

This happens when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

A Client side security issue? What's the bad? 

Yes, a “client side” security issue that affects a variety of browsers and platforms.

             Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker. 

This type of attack, that can be used alone or in combination with other attacks, could potentially send unauthorized commands or reveal confidential information while the victim is interacting with seemingly harmless web pages.

Take an example please!

Imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod". However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the "delete all messages" button directly on top of the "free iPod" button. The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "delete all messages" button. In essence, the attacker has "hijacked" the user's click, hence the name "Clickjacking".

How does a vulnerable site look when attacked and defended?

                                         

If a website is vulnerable, the target web page can be loaded into an iframe. In case in which you only see the target site or the text "Website is vulnerable to clickjacking!" but nothing in the iframe this mean that the target probably has some form of protection against clickjacking. It’s important to note that this isn’t a guarantee that the page is totally immune to clickjacking.

What's the Defense?

Methods to protect a web page from clickjacking can be divided in two macro-categories:

• Client side protection: Frame Busting - Employing defensive code in the UI to ensure that the current frame is the most top level window.
• Server side protection: X-Frame-Options - Sending the proper X-Frame-Options HTTP response header that instruct the browser to not allow framing from other domains.

X-Frame???

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.

There are three possible values for the X-Frame-Options header:

• DENY, which prevents any domain from framing the content. The "DENY" setting is recommended unless a specific need has been identified for framing.
• SAMEORIGIN, which only allows the current site to frame the content.
• ALLOW-FROM uri, which permits the specified 'uri' to frame this page. Ex: ALLOW-FROM http://www.example.com

Use case:

The customer receives the information that their website is vulnerable to clickjacking attacks. They are under pressure and do not have time to develop a solution against that vulnerability. A quick workaround against that is to add the X-FRAME-OPTIONS header with a value set to “DENY” (X-FRAME-OPTIONS: DENY) or “SAMEORIGIN".

Testing:

The first step in discovering if a website is vulnerable is to check if the target web page could be loaded into an iframe. To do this you need to create a simple web page that includes a frame containing the target web page. The HTML code to create this testing web page is displayed in the following snippet:

<html>    <head>      <title>Clickjack test page</title>    </head>    <body>      <p>Website is vulnerable to clickjacking!</p>      <iframe src="http://www.target.site" width="500" height="500"></iframe>    </body> </html>

Where did you read about Clickjack?

https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)

"Believe what you see and not what you know"

This statement didn't interest me much when i heard this for the first time. 

I was a fresher; I was new to handle issues in my project. Trivial issues made me stay back one day. I approached my manager hoping for some kind of help from him. But, he silently left his cubicle making the above mentioned statement. 

I realized that night was not young anymore and it was already a minute left for the next day to begin but I was still working on the issue. I was continuously trying my best to resolve the issue with the knowledge i had with umpteen numbers of futile attempts. 

All of a sudden, there seemed a ray of hope, I changed my perspective. I tried my luck in the reverse order. I saw the results and started analyzing the cause for it.

I was successful this time. I figured out where I went wrong!

My brain needed an update. The issue was resolved.