It was today when I was having a cup of coffee in my balcony my friend called to ask about tomorrow’s CTF plans & other stuff regarding the final season of 13ry. Nvm, like it was fine until we started to debate on the topic clickjacking. He asked me about if I know anything about it? Again, I am not a pro, but still I gave him a lead on some valuable resources that he can use to improve his knowledge. There I got the idea to include this topic in today’s article. Also, it is a part of vulnerability assessment (on humans xp).
What is Clickjacking?
As you might have gathered from the name, clickjacking is the process of hijacking a user’s click on a computer (it can also be used to hijack keystrokes, but “key-stroke-jacking” is a whole lot harder to say). There are a number of ways that this process can take place, but they all have one thing in common: a user thinks they’re clicking on one thing, when in reality, they’re clicking on something else.
Many clickjacking attacks include a transparent user interface placed over another interface that the user is expecting to see (which is why “UI redressing” is another name for this method). Then, when that user thinks they’re clicking on something, they’re actually clicking on something else that they can’t see. You might think you’re clicking on a link that will sign you up for a free service, when you’re actually clicking a button that gives a cybercriminal access to your account.
What you can do to prevent clickjacking?
Unfortunately, there’s not a whole lot you can do to prevent clickjacking unless you’re a website administrator. By far the most commonly recommended method of protecting yourself while you’re browsing is to use NoScript, the Firefox add-on that prevents scripts from loading without specific authorization from you. NoScript has some specifically anti-clickjacking features, and is really good at detecting the kinds of scripts that create transparent overlays on websites. Some are other methods you can use to prevent clickjacking.
- Also, clickjacking, need to come from site admins. Many of the defenses are rather technical, and if you want to find out exactly how to implement them, I recommend checking out the Clickjacking Defense Cheat Sheet from OWASP.
- One of the best ways to go about preventing clickjacking on your site it to include an x-frame-options HTTP header that prevents your site’s content from being loaded in a frame (<frame> tag) or iframe (<iframe> tag). Because these are often used as attack vectors, not just for clickjacking, but for other threats as well. This is an effective way of mitigating the threat.
- To minimize the likelihood of a clickjacking attack on your mobile device, you may want to restrict yourself to only downloading apps from trusted sources, like the Apple App Store or the Google Play Store. While this isn’t a guarantee that you’ll be free from attacks, these apps are considerably less likely to include malicious code than those you get from a third-party source.
- You can also avoid using in-app browsers, as this is a common place for touchjacking attacks to occur. Set the default behavior for link-opening in your apps to open in the system browser, instead of the in-app browser, and you’ll eliminate one more potential weakness in your defense.
The Real Threat
As mentioned before, clickjacking sounds like more of an annoyance than a real threat to your security, but if it’s used effectively, it can help attackers steal some very important information or gain access to your online accounts, where they could do serious damage. And while most of the defense has to come from behind the scenes, you can use script-blocking extensions to prevent most of these attacks.