The user is deceived into interacting with a UI element that they do not see in a clickjacking attack. The attacker creates a malicious website with well-placed graphic components. The user is enticed to click on these items but unintentionally clicks on an element on another website.
Jeremiah Grossman and Robert Hansen created the term clickjacking (click + hijacking). They used it in their investigation of an Adobe Flash vulnerability. User interface redress is the technical phrase for a broader range of similar assaults (UI redress attack). Clickjacking may take several forms, including likejacking (stealing Facebook likes) and cursorjacking. Although clickjacking has been known since 2002, it has only been recognized as a web application security risk since 2008.
Clickjacking is a type of attack that targets both the user and another website or online application. The immediate victim is the user, and the website or online application is utilized as a tool. To protect against clickjacking, ensure that your website or web application cannot be exploited as a tool.
There are several clickjacking methods. Here are some instances of how attackers may use various ways to deceive the user:
- The attacker places an invisible iframe (transparent overlay) over the malicious page and loads the tool page inside that overlay. The infected page offers a graphic feature that entices the visitor to click. For example, it may be a visual element that resembles a video player with a play button in the center. The user clicks on the play sign, but owing to the overlay, they click on a UI element on the tool page.
- The attacker produces an 11-pixel iframe that travels in tandem with the mouse pointer. This frame is virtually undetectable due to its size and placement (hidden under the cursor symbol tip). If the user clicks anywhere, it will choose whatever is loaded and positioned in this 11 frame.
- Cropping allows the attacker to utilize pieces of the tool page on the infected website. They might, for example, build an iframe containing the Submit button from the tool page.
Clickjacking Prevention
You, as the owner of a website or online application, must ensure that your web assets cannot be utilized in a clickjacking assault. You may use a variety of strategies to do this. You may even combine several of them to provide complete coverage. In order of preference, below are the techniques.
Content-Security-Policy: frame-ancestors
CSP is an HTTP response header that stands for Content-Security-Policy. Its primary purpose was to prevent Cross-site Scripting (XSS) assaults. It now has an anti-clickjacking frame-ancestors directive as well. This directive specifies the parent pages that may embed the page, which governs how the page can be embedded by other sites. The following tags are covered by embedding control: <frame>, <iframe>, <embed>, <object>, and <applet>.
How to Implement the CSP Frame-Ancestors Directive
The Content-Security-Policy header may only be used as a response header; it cannot be used in meta tags. The best way is to arrange your web server to include it automatically with every page it delivers. The frame-ancestors directive is simply one of several that you may employ.
This is an example of the CSP frame-ancestors directive, which allows the page to only be embedded in itself:
Content-Security-Policy: frame-ancestors 'self' '\*.zofixer.com';
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.