Clickjacking, sometimes called “UI redressing”, is a way of stealing a well placed click from a victim. The goal of the attack is to trick a user to perform an action without the consent of a user, which benefits the attacker. Clickjacking is usually combined with social engineering and security flaws.
An example of clickjacking
Andrew Frost* is a famous blogger on superblog.com. Because Andrew is so successful, a hacker wants to steal the account of Andrew. If superblog.com is vulnerable for clickjacking attacks, the attacker can create a fake phising domain and lure Andrew to it. The hacker creates a website, like winafreeholiday.com, where you need to enter your email address in order to win a free holiday.
* This is a random name
Andrew is however unaware that superblog.com is loaded in the background. The hacker can do this by using an iframe. An iframe is a html instruction that tells the browser to load in an other website on the page. This causes that winafreeholiday.com now has a page of superblog.com, specifically the page where the user can change it’s password. The page is constructed in a way that the superblog page is transparent, and styled that it looks like a page to win a free holiday.
The hacker now only has to send Andrew an email with the link of the website. Andrew thinks he wins a holiday, but in fact he changed his password on superblog.com. Since the hacker knows this, he now has access to the account of Andrew. Andrew is now victim of clickjacking.
In the example above several things gone wrong. To start, Andrew clicked a phishing link. After that, superblog allowed the page to be loaded in an iframe. To conclude the list, Andrew was still logged in and didn’t had to fill in his current password.
At the same time the solution is pretty easy. With the Content Security Policy (CSP) superblog can prevent being loaded by an other domain. The CSP header replaces the old x-frame-options header that was used back in the days to avoid clickjacking. The correct header is a follows:
Content-Security-Policy: frame-ancestors 'none';
More information about preventing clickjacking is on the website of OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
If your website is not configured properly, other websites can load it. If users are able to log in to your website and are logged in, they can become victims of clickjacking. To avoid this you can:
- Send the CSP header
- Prevent users from being logged in for a long time, e.g. log them out automatically after 2 hours of inactivity
- Extra protection for sensitive functions such as changing a password, for example by asking for the current password
Do you want to test whether your website is vulnerable to clickjacking? Our Quickscan checks whether your website is vulnerable to clickjacking.