Table of Contents:
What is Clickjacking ?
Clickjacking, also known as a "UI redress attack" or "user-interface spoofing," is a malicious technique employed by cybercriminals to deceive users and manipulate their actions on websites or applications.
How it Works ?
Clickjacking involves overlaying invisible or transparent elements on legitimate web pages, tricking users into clicking on buttons, links, or ads without their knowledge or consent. The process typically involves the following steps:
The attacker creates or modifies a webpage, overlaying invisible or transparent elements on top of the legitimate content. These elements are carefully positioned to cover specific buttons, links, or other interactive elements.
Tempting the User:
The attacker entices the user to visit the manipulated webpage through various means, such as social engineering techniques, enticing content, or misleading advertisements.
Deceptive User Interface:
When the user accesses the webpage, they see the legitimate content as expected. However, unbeknownst to them, hidden elements are strategically placed over certain interactive components.
The user, believing they are interacting with the visible content, performs actions such as clicking buttons, links, or even dragging objects on the webpage.
Unbeknownst to the user, their clicks or actions are actually being performed on the hidden elements rather than the visible interface. These hidden elements can trigger unintended actions or perform malicious activities without the user's knowledge or consent.
The goal of clickjacking is to trick users into unwittingly performing actions that benefit the attacker. These actions can vary depending on the attacker's objectives and the specific context of the attack. Some common objectives include:
- Redirecting the user to malicious websites or phishing pages.
- Stealing sensitive information, such as login credentials or personal data.
- Manipulating social media interactions, such as liking posts or sharing content.
- Initiating downloads of malware or unwanted software.
- Making unintended purchases or transactions on e-commerce platforms.
Types of Clickjacking Attacks:
There are several types of clickjacking attacks that cybercriminals can employ to deceive users and manipulate their actions. Here are some common types:
In a likejacking attack, the attacker hides a "Like" button for a social media post or page behind a disguised element, such as an image or a play button. When users try to interact with the visible element, their click is actually registered on the hidden "Like" button, causing them to unwittingly promote or share the attacker's content.
2. UI Redressing
UI redressing involves overlaying invisible or transparent elements on a webpage to mislead users into interacting with hidden elements instead of the visible interface. By carefully positioning these elements, attackers can trick users into clicking on buttons, links, or other interactive elements that perform unintended actions, such as initiating downloads or submitting sensitive information.
Cursorjacking is a type of clickjacking attack that manipulates the user's cursor or pointer. The attacker overlays invisible or transparent elements on a webpage, causing the cursor to be offset from its actual position. When the user tries to click on an element, they end up clicking on a different element altogether, potentially triggering unwanted actions or redirections.
Dragjacking involves deceiving users into dragging and dropping elements on a webpage, usually through an enticing visual representation. However, the dragged element is actually hidden or disguised, and the user unknowingly drops it onto a different element or performs unintended actions.
Preventing clickjacking attacks requires a combination of user awareness and implementation of security measures. Here are some preventive measures that can help protect against clickjacking attacks:
Implement Frame Busting Code:
Website owners can include frame busting code in their web pages. This code prevents their website from being loaded within an iframe, effectively blocking clickjacking attempts. The code can be added to the webpage's HTML using the X-Frame-Options header or the newer Content-Security-Policy header.
Utilize Clickjacking Protection Headers:
Website administrators can implement clickjacking protection headers, such as the X-Frame-Options and Content-Security-Policy headers. These headers define the framing policy for the website, preventing it from being embedded within an iframe or only allowing specific trusted sources.
Use Content Security Policy (CSP):
Content Security Policy is a security mechanism that allows website owners to define the sources from which their web page can load content. By specifying trusted sources for scripts, stylesheets, and other content, CSP helps mitigate the risk of clickjacking attacks by restricting the loading of malicious content.
Use Security Plugins or Browser Extensions:
Install reputable security plugins or browser extensions that can detect and block clickjacking attempts. These tools provide an additional layer of defense by actively monitoring and preventing clickjacking attacks.
Overall, clickjacking poses a significant threat to online security, as it relies on deceiving users and manipulating their actions. By understanding this technique and adopting preventive measures, users can better protect themselves from falling victim to clickjacking attacks.