It was today when I was having a cup of coffee in my balcony my friend called to ask about tomorrow’s CTF plans & other stuff regarding the final season of 13ry. Nvm, like it was fine until we started to debate on the topic clickjacking. He asked me about if I know anything about it? Again, I am not a pro, but still I gave him a lead on some valuable resources that he can use to improve his knowledge. There I got the idea to include this topic in today’s article. Also, it is a part of vulnerability assessment (on humans xp).

What is Clickjacking?

As you might have gathered from the name, clickjacking is the process of hijacking a user’s click on a computer (it can also be used to hijack keystrokes, but “key-stroke-jacking” is a whole lot harder to say). There are a number of ways that this process can take place, but they all have one thing in common: a user thinks they’re clicking on one thing, when in reality, they’re clicking on something else.

Many clickjacking attacks include a transparent user interface placed over another interface that the user is expecting to see (which is why “UI redressing” is another name for this method). Then, when that user thinks they’re clicking on something, they’re actually clicking on something else that they can’t see. You might think you’re clicking on a link that will sign you up for a free service, when you’re actually clicking a button that gives a cybercriminal access to your account.

What you can do to prevent clickjacking?

Unfortunately, there’s not a whole lot you can do to prevent clickjacking unless you’re a website administrator. By far the most commonly recommended method of protecting yourself while you’re browsing is to use NoScript, the Firefox add-on that prevents scripts from loading without specific authorization from you. NoScript has some specifically anti-clickjacking features, and is really good at detecting the kinds of scripts that create transparent overlays on websites. Some are other methods you can use to prevent clickjacking.

The Real Threat

As mentioned before, clickjacking sounds like more of an annoyance than a real threat to your security, but if it’s used effectively, it can help attackers steal some very important information or gain access to your online accounts, where they could do serious damage. And while most of the defense has to come from behind the scenes, you can use script-blocking extensions to prevent most of these attacks.

Nehh, just a n00b

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store