Explainer Series: What is Clickjacking?

Clickjacking

Here we go, another online trap ready to ensnare unsuspecting – well, until now anyway – users. As if Phishing, Cryptojacking, credential stuffing and old school scamming wasn’t enough, folks really just can’t catch a break these days. Anyway, we’re here to chat about clickjacking, for those of you who aren’t 100% sure what to keep an eye out for…

So, what is Clickjacking exactly?

Clickjacking is an attack – a pretty passive one, but nasty all the same – that takes advantage of a vulnerability found on web platforms running on major browsers, that allows bad actors – not like the ones you find in b-rated flicks, we mean hackers – to edit what a website looks like to the user in their browser, without changing the functionality. Basically, placing a fake site or window on top of a real one. So it looks and feels the same as the legitimate site, but folks are actually interacting with a completely different site.

Note: This is not a vulnerability based within the target applications but rather in software running on client machines (i.e. browsers).

Four of the most popular strategies for carrying out a clickjacking attack

  1. Transparent page: The malicious web page embeds a page from another domain to which the user is already authenticated. Since the malicious Web page is controlled by the bad actor, they can visually hide parts of the original application from the user, exposing only the specific control elements they want users to interact with such as buttons or form fields. As a result, the user is interacting with the covered Web page through “holes” in the graphical overlay generated by the attacker.
  2. iFrame overlay: Another example is when an attacker carries the clickjacking attack using a technique called iFrame overlay. The malicious web page includes code that generates fake UI and an IFrame covering only a part of the legitimate page, giving a feeling that this iFrame belongs to the main site. From there the visitor can be tricked into making an action on their behalf.
  3. Javascript button: By using Javascript instead of HTML only, the attack becomes sneakier to deploy since the original UI can be further manipulated in ways that are not possible when using only HTML. For example, the attacker can position the embedded web page in the browser window so that a specific button will always appear under the user’s cursor and force him to make the expected action.
  4. Vulnerable applications: The clickjacking vulnerability in Adobe Flash Player has even further implications since attackers can gain access to attached hardware such as webcams and microphones.

What motivates a clickjacking attack?

  • Taking control of a computer or accessing peripheral hardware
  • Publish a post, a like or following a page in a social network against a user’s knowledge
  • Downloading malware

To get to the point of clickjacking a site, the site will have to be compromised, something Imperva WAF prevents. You should also make sure your site resources are sending the proper X-Frame-Options HTTP headers, which would prevent some parts of your sites from being framed in other pages or outside your domain.