Introduction

Clickjacking, also known as "UI redress attack", is a type of web vulnerability that allows an attacker to trick a user into clicking on a button or link on a webpage that performs an unintended action. This is achieved by overlaying the victim's screen with a transparent layer, or iframe, that contains the malicious content. The victim is usually unaware that they are interacting with the malicious content, as it appears to be a legitimate button or link on the page.

Testing the attack

In order to check if a website is vulnerable to this kind of attack, you need to find if one of these mechanisms is implemented.

X-Frame-Options

X-Frame-Options is a header that can be used to indicate whether a webpage can be loaded inside an iframe. By setting the X-Frame-Options header to "deny", a website can prevent itself from being loaded inside an iframe on another site. This can help to protect against clickjacking attacks, as the attacker will not be able to use an iframe to overlay the victim's screen with malicious content.

In addition, framing can be restricted to pages from the same website by using the sameorigin directive or to a specific website using the allow-from directive.

X-Frame-Options: allow-from https://example.com

Content Security Policy (CSP)

Content-Security-Policy is a header that can be used to specify a list of trusted sources for various types of content, such as scripts, stylesheets, and images. By specifying a strict Content-Security-Policy, a website can prevent itself from loading untrusted content, including content that could be used in a clickjacking attack.

where policy is a string of policy directives separated by semicolons. The CSP provides the client browser with information about permitted sources of web resources that the browser can apply to the detection and interception of malicious behaviours.

The recommended clickjacking protection incorporates the frame-ancestors directive in the application's Content Security Policy. The frame-ancestors 'none' directive is similar in behaviour to the X-Frame-Options deny directive. The frame-ancestors 'self' directive is broadly equivalent to the X-Frame-Options: sameorigin directive. The following CSP whitelists frames to the same domain only:

Content-Security-Policy: frame-ancestors 'self';

Alternatively, framing can be restricted to named sites:

Content-Security-Policy: frame-ancestors normal-website.com;

Proof of Concept

If none of the previous server side mechanisms is applied, then the webpage can be vulnerable to clickjacking,

Here's an example of how a clickjacking attack might work:

1. The attacker creates a webpage that contains a transparent iframe overlaid on top of a legitimate webpage. This can be achieved by using the Burp suite tool Clickbandit.

2. The victim navigates to the attacker's webpage, which appears to be a legitimate site.

3. The victim clicks on a button or link on the page, believing they are performing a legitimate action.

4. However, the transparent iframe captures the victim's click, and uses it to perform an unintended action, such as liking a post on a social media site or making a purchase.

References

• Clickjacking (UI redressing)

• Testing for Clickjacking

• Clickjacking Defense Cheat Sheet