Clickjacking

OWASP 2013-A5 OWASP 2017-A6 CAPEC-103 CWE-1021 WSTG-CLNT-09 WASC-15

Clickjacking is a technique by which an attacker attempts malicious methods to trick a user into clicking on a link. This step by the user will potentially reveal confidential information about the user and could also take control of the victim’s computer while clicking on seemingly innocuous web pages. Attackers will use multiple clear or opaque layers of methods to trick a user into clicking on a button or link. This attack aims the user to click on the malicious page while making the victim feel like he is on the top level page. This attack will lead leakage of sensitive information.

If a site has this vulnerability, an attacker can load another page over it by hiding the original page. Thus, an attacker can trick the end users into performing actions on behalf of the user. There is no way to trace the actions to the attackers later. This issue is present because the users have validated himself through the hidden page. This mistake by the user will get the authentication credentials to the attacker.

Impact

The clickjacking attack can steal information about the end user. The information includes username, password and many more. This attack will lead to significant issues like data breach of end users.

  • Through clickjacking, an attacker can perform Cross-site Resource Forgery(CSRF).
  • The impact of this vulnerability can be evaluated from the type of functionality that is affected.
  • The attacker can use clickjacking to disclose the credentials or information related to an individual. This situation is called identity theft. Identity theft can be found in banking or eCommerce based web applications.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Implement anti-clickjacking Headers
  • Include a framekiller JavaScript snippet on the server side.
  • Use X-Frame-Options: The header has the following options
    • DENY
    • SAMEORIGIN
    • ALLOW-FROM
  • Install the NoScript add-ons on the client side.
  • Use GuardedID clickjack protection.
  • Implement code domain white/blacklisting.
  • Use drag and drop protection in the X-Frame-Options.
  • Don’t allow content from the trusted window to be dragged into the calling page.

For Apache “Header always append X-Frame-Options SAMEORIGIN”

For Nginx “add_header x-frame-options “SAMEORIGIN” always;”

Latest Articles