Imperva Blog|Login|中文Deutsch日本語
Glossary

Clickjacking (aka. UI Redressing)

Clickjacking is an attack that takes advantage of a vulnerability found in various Web platforms from major browsers, which allows attackers to alter a Web site’s visual display to the user from the browser while preserving its functionality. Specifically, clickjacking involves generating a fake graphical overlay on top of an existing Web page in order to visually change the Web page while preserving its functionality (buttons, forms, etc.). This is done with the intension of misleading users to interact with the hidden Web page while they believe they are interacting with a completely different Web site.

Detailed Description

The clickjacking attack has many variants; each one utilizes a different technique to exploit the same vulnerability. This vulnerability, which allows attackers to alter a Web site’s visual display to the user from the browser while preserving its functionality, is inherent in various Web platforms from the major browsers, IE and Firefox, to various extensions such as Adobe Flash Player. It is important to notice that this is not a vulnerability based in the target applications but rather in software running on client machines (i.e. browsers).

In the clickjacking attack, an attacker sets up a Web page on a controlled domain. The malicious Web page embeds a page from another domain to which the user is already authenticated. Since the malicious Web page is controlled by the attacker, the attacker can visually hide parts of the original application from the user. The attacker can expose only the specific control elements it wants the users to interact with such as buttons or form fields. As a result, the user is interacting with the covered Web page through “holes” in the graphical overlay generated by the attacker.

Here is an example of a clickjacking attack:

In this example, an attacker carries the clickjacking attack using a technique called IFrame overlays. In this technique, the malicious Web page includes code that generates the fake UI and an IFrame that points to an email application at a different domain. When the two are combined the top-level page covers portions of the IFrame in order expose only the “Yes” button and the user can be easily tricked into deleting all messages in his inbox.

Other techniques are available for attackers to carry clickjacking attacks.

Some examples are:

  1. Javascript - By using Javascript this attack becomes easier to deploy. This is since the original UI can be further manipulated in ways that are not possible when using only HTML. For example, the attacker can move the embedded Web page within respect to the browser window so that a specific button will be always under the user’s mouse cursor.
  2. Flash - The clickjacking vulnerability in Adobe Flash Player has even further implications since attackers can gain access to attached hardware such as Web cameras and microphones.

The clickjacking vulnerability in Adobe Flash Player has even further implications since attackers can gain access to attached hardware such as Web cameras and microphones.

The main risk imposed by the clickjacking attack is the ability to bypass nonce based CSRF defenses, which is considered the most robust protection against CSRF attacks. This defense involves adding a nonce to each transaction. The value of the nonce attached to the request is validated against the value given for a specific user session. Thus, an attacker cannot embed a URL representing a valid transaction in the attacker’s controlled page. However, in the clickjacking attack, the user interacts directly with the target Web page so all transactions include a valid nonce and the attack is left undetected.

Clickjacking Attack Mitigation

Since the vulnerability that allows clickjacking attacks resides in client software and not in Web applications, there is no complete solution except of presenting fixes to the vulnerable platforms. One countermeasure that can be applied in some cases is preventing a Web page from being framed. This is done by embedding frame busting code in the Web page, for example:

if (top != self)
{
  Present error to user
}

This code will generate an alert when the Web page is embedded into a frame. However, this solution has the obvious disadvantage for Web sites that facilitate frames.

Although the clickjacking attack can overcome most CSRF protections, SecureSphere’s integrated CSRF protection is not compromised. CSRF protection in SecureSphere is based on the dynamic profiling mechanism. This mechanism helps SecureSphere detect and block authenticated requests to internal resources from suspicious domains.