Top 5 ways to Prevent Clickjacking Attacks

Clickjacking is an attack that tricks a user into clicking on an invisible or disguised web page element. Users may unknowingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online as a result of this.

 

Clickjacking is typically accomplished by displaying an invisible page or HTML element inside an iframe on top of the page that the user sees. The user believes they are clicking on the visible page, but they are actually clicking on an invisible element in the additional page that has been transposed on top of it.

 

What is Clickjacking? 

 

Clickjacking is a type of interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on other content on a decoy website. Consider the following scenario:

 

A web user visits a bogus website (possibly via a link in an email) and clicks on a button to win a prize. Unknowingly, they were duped by an attacker into pressing a different hidden button, resulting in the payment of an account on another site. This is an illustration of a clickjacking attack. The technique is based on the inclusion of an invisible, actionable web page (or multiple pages) containing a button or hidden link, for example, within an iframe.

 

A CSRF token, which is a session-specific, one-time number or nonce, is frequently used to protect against CSRF attacks. The CSRF token does not prevent clickjacking attacks because a target session is established with content loaded from an authentic website and all requests occur on-domain. CSRF tokens are embedded in requests and sent to the server as part of a normal session. The process differs from a normal user session in that it takes place within a hidden iframe.

 

A common definition of clickjacking is a type of attack in which the victim clicks on links on a website that they believe is a known, trusted website. However, the victim is unaware that they are clicking on a malicious, hidden website that is overlaid on the known website.

 

The click can appear innocuous at times. Likejacking occurs when an attacker disguised as a marketer creates a post in order to gain likes on a Facebook page. The click could initiate more dangerous activity, such as the uninvited download of malware, or it could activate a JavaScript code that turns on a webcam, collects passwords, or records keystrokes.

 

Cursor Jacking is a variation on clickjacking. Cursorjacking involves attackers tricking users by adding a custom cursor image that confuses victims into clicking on parts of the page they do not intend to click on. 

 

Victims in more advanced clickjacking scenarios do more than just click. They may even enter usernames, passwords, credit card numbers, and other personal information into what they believe are commonly used sites. Instead, a malicious, hidden website is scraping their information.

 

Also Read | Everything About Cybersecurity Threats, Attacks, and its Types

 

Types of Clickjacking Attacks: 

 

Clickjacking is a catch-all term for a collection of attack routes and tactics known as UI redress assaults. Attacks can be classified into two types based on how they use superimposed material. The most common type of attack is an overlay-based attack, and the most common technological strategy is to embed websites in invisible iframes.

 

There are several types of overlay-based Clickjacking.

 

1. An overlay is completely transparent.

 

This method was used in one of the first high-profile clickjacking attacks, in which users were tricked into granting Flash animations access to the computer's camera and microphone via the Adobe Flash plug-in settings page.

 

2. Cropping:

 

The attacker uses this technique to select only a few controls from the transparent page to overlay on the visible page. Depending on the attack's goal, this could include hiding buttons with invisible hyperlinks to cause them to perform a different action than intended, replacing text labels with misleading instructions, or covering the entire legitimate page with misleading content, leaving only one original button exposed.

 

3. Hidden overlay:

 

This was the first Clickjacking method demonstrated. The attacker hides a 1x1 pixel iframe containing malicious content behind the mouse pointer, registering any clicks on the infected page.

 

The legal page is displayed in the foreground, completely covering the malicious page in the background, and the click event is suppressed. The attacker sets the CSS pointer-events value at the top to none, causing click events to "drop" through the legal page overlay and only register on the malicious page below.

 

 

4. Rapid replacement of content:

 

The targeted controls are hidden behind opaque overlays, which are removed for a fraction of a second to register the click and then replaced. This necessitates the attacker to predict the exact time of the victim's click, but it's easier than it sounds if you're familiar with computer user habits and psychology.

 

Even if clickjacking vulnerabilities are not used to implant overlays, attackers can persuade users to click on unexpected controls using a variety of techniques.

 

• Scrolling:

 

The attacker slides a legitimate dialogue box or other web page element partially off the screen, hiding some of the user's controls. A warning dialogue, for example, could be slid off the screen, leaving only the OK and Cancel buttons visible, with the attacker inserting harmless prompt text to make it appear as if the buttons apply to this message rather than a warning.

 

• Repositioning:

 

The attacker must quickly relocate a trusted dialogue (or another UI element) under the cursor to carry out this attack. Simultaneously, the victim is preoccupied with clicking on other, seemingly innocuous elements. If this works, the user will unconsciously click the replaced control before realizing what has happened. To avoid detection, the attacker may quickly reposition the dialogue after clicking, similar to fast content substitution.

 

• Drag-and-drop

 

While most clickjacking attacks focus on intercepting clicks, drag-and-drop vulnerabilities can be used to trick users into performing actions such as filling out online forms by dragging unseen text into invisible text fields or providing sensitive personal information to the attacker.

 

Also Read | 10 Types of Social Engineering Attacks and their Examples

 

How to Prevent Clickjacking?

 

You can defend your website against clickjacking attacks via client-side or server-side prevention.

---

 

How to Prevent Clickjacking Attack 

---

1. Client-side Security:

 

There are three main methods of clickjacking prevention on the client side, all of which are browser-related.

 

2. Intersection Observer API:

 

While you cannot control which browsers your users use, most modern browsers already support the Intersection Observer API. The visibility of target elements can be determined using this Javascript API. It tells a webpage whether a particular component of the page or the entire page is visible to the user. This knowledge can be used to determine whether a web page's content is visible to the user (even if contained within an iframe).

 

3. Browser Extensions:

 

There are also a few browser add-ons designed to protect against clickjacking, such as NoScript and NoClickjack. These add-ons are not compatible with all browsers, but their popularity is growing.

 

4. Frame Busting: 

 

The practice of using JavaScript to prevent a web page from loading in a frame is known as frame busting. It works even in older browsers that don't support newer methods like the Intersection Observer API or the X-Frame-Options header and CSP described below.

 

5. Examine Email Security:

 

Install and use a powerful email spam filter, and use it frequently. A clickjacking attack typically begins by tricking a user into visiting a malicious website via email. This is primarily accomplished through the use of forged or specially crafted emails that appear to be completely authentic.

 

By blocking unauthorized emails, you reduce a potential attack vector for clickjacking and a variety of other attacks. You must notify your employees that this measure has been implemented so that they check their junk mail on a regular basis.

 

 

Examples of Clickjacking Attack Examples: 

 

Some of the most common examples of clickjacking attacks are:- 

 

1. Classic:

 

The classic attack was previously described. It entails creating a legitimate-appearing website and embedding a malicious or legitimate (but vulnerable) website in an invisible iframe. The attacker then uses social engineering to trick the victim into clicking on the malicious or legitimate but undesirable element.

 

To make an unwanted purchase, a legitimate but undesirable element would be something like Amazon's 1-click purchase buttons. It could also be a malicious element that downloads a malicious script into your browser. In either case, the victim thinks they're claiming their prize or clicking on an enticing photo on a legitimate-looking and visible website.

 

2. Likejacking:

 

Likejacking is a very common type of UI redress attack that involves stealing Facebook likes. Likejacking works in the same way as the classic clickjacking attack.

 

 However, it deceives Facebook users into "liking" things they did not intend to. The invisible iframe contains the attacker's Facebook page. As a result, the user is unaware that they are clicking the attacker's invisible "Like" button. This attack is known to have occurred in Italy in 2011.

 

3. Cursorjacking:

 

Cursor Jacking is the act of moving the cursor away from where the victim perceives it to be. A typical cursor jacking attack replaces the real cursor with a fake one created from an image and offsets it from the real cursor's location. The attacker can trick the victim into clicking elements they never intended to click by cleverly positioning elements.

 

When the victim uses the fake cursor to click an intended element, the real cursor, which is offset from the fake one, actually clicks a malicious element. In a cursor-jacking attack, the real cursor may still be visible. However, efforts are made to divert the victim's attention away from the fake one.

 

4. Cookiejacking:

 

Cookiejacking is a UI redress attack in which the victim's cookies are stolen. Once the attacker has obtained the cookies, they can read the information contained within them and impersonate the victim. 

 

Typically, this is accomplished by duping the victim into dragging and dropping an element on the page. They are, however, selecting the contents of their cookies on the embedded invisible page and handing them over to the attacker.

 

5. Filejacking:

 

In a file jacking attack, the attacker takes advantage of web browsers' ability to navigate the computer's file system. As an example, consider uploading a photo to social media. You can navigate your file system using the file browser window that appears. Clicking the 'Browse Files' button (or whatever your browser calls it) in a file jacking attack creates an active file server, potentially giving the attacker access to your entire file system.

 

That's all there is to it. Clickjacking is a particularly nasty attack. Visitors and website administrators, thankfully, have a defense. However, nothing is perfect. So keep an eye out.