{"id":47610,"date":"2022-09-26T15:08:33","date_gmt":"2022-09-26T13:08:33","guid":{"rendered":"https:\/\/cyberant.com\/wat-is-clickjacking\/"},"modified":"2023-04-12T15:54:42","modified_gmt":"2023-04-12T13:54:42","slug":"what-is-clickjacking","status":"publish","type":"post","link":"https:\/\/cyberant.com\/en\/what-is-clickjacking\/","title":{"rendered":"What is clickjacking?"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-l8is9pyu-2071202cb05c0d18740785925e794b22\">\n#top .av_textblock_section.av-l8is9pyu-2071202cb05c0d18740785925e794b22 .avia_textblock{\nfont-size:40px;\n}\n<\/style>\n<section  class='av_textblock_section av-l8is9pyu-2071202cb05c0d18740785925e794b22 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><h1 class=\"h2 entry-title\">What is clickjacking?<\/h1>\n<\/div><\/section>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-pxc3w8-8d3d19cfd9f8c2768e82ee26a5904948\">\n#top .hr.hr-invisible.av-pxc3w8-8d3d19cfd9f8c2768e82ee26a5904948{\nheight:30px;\n}\n<\/style>\n<div  class='hr av-pxc3w8-8d3d19cfd9f8c2768e82ee26a5904948 hr-invisible  avia-builder-el-1  el_after_av_textblock  el_before_av_textblock '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-l8isa1av-ff5ca47754cacbc4e5f03e6865064308\">\n#top .av_textblock_section.av-l8isa1av-ff5ca47754cacbc4e5f03e6865064308 .avia_textblock{\nfont-size:16px;\n}\n<\/style>\n<section  class='av_textblock_section av-l8isa1av-ff5ca47754cacbc4e5f03e6865064308 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Clickjacking, sometimes called &#8220;UI redressing&#8221;, is a way of stealing a well placed click from a victim. The goal of the attack is to trick a user to perform an action without the consent of a user, which benefits the attacker. Clickjacking is usually combined with social engineering and security flaws.<\/p>\n<h3>An example of clickjacking<\/h3>\n<p>Andrew Frost* is a famous blogger on superblog.com. Because Andrew is so successful, a hacker wants to steal the account of Andrew. If superblog.com is vulnerable for clickjacking attacks, the attacker can create a fake phising domain and lure Andrew to it. The hacker creates a website, like winafreeholiday.com, where you need to enter your email address in order to win a free holiday.<\/p>\n<p>* This is a random name<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-1561\" src=\"https:\/\/cyberantcom.wpengine.com\/wp-content\/uploads\/2021\/03\/superblogen-1024x985.png\" alt=\"clickjacking\" width=\"461\" height=\"444\" srcset=\"https:\/\/cyberant.com\/wp-content\/uploads\/2021\/03\/superblogen-1024x985.png 1024w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/03\/superblogen-300x289.png 300w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/03\/superblogen-768x739.png 768w, https:\/\/cyberant.com\/wp-content\/uploads\/2021\/03\/superblogen.png 1054w\" sizes=\"(max-width: 461px) 100vw, 461px\" \/><\/p>\n<p>Andrew is however unaware that superblog.com is loaded in the background. The hacker can do this by using an\u00a0<a href=\"https:\/\/www.w3schools.com\/html\/html_iframe.asp\">iframe<\/a>. An iframe is a html instruction that tells the browser to load in an other website on the page. This causes that winafreeholiday.com now has a page of superblog.com, specifically the page where the user can change it&#8217;s password. The page is constructed in a way that the superblog page is transparent, and styled that it looks like a page to win a free holiday.<\/p>\n<p>The hacker now only has to send Andrew an email with the link of the website. Andrew thinks he wins a holiday, but in fact he changed his password on superblog.com. Since the hacker knows this, he now has access to the account of Andrew. Andrew is now victim of clickjacking.<\/p>\n<h3>Preventing clickjacking<\/h3>\n<p>In the example above several things gone wrong. To start, Andrew clicked a phishing link. After that, superblog allowed the page to be loaded in an iframe. To conclude the list, Andrew was still logged in and didn&#8217;t had to fill in his current password.<\/p>\n<p>At the same time the solution is pretty easy. With the Content Security Policy (CSP) superblog can prevent being loaded by an other domain. The CSP header replaces the old x-frame-options header that was used back in the days to avoid clickjacking. The correct header is a follows:<\/p>\n<p><code>Content-Security-Policy: frame-ancestors 'none';<\/code><\/p>\n<p>More information about preventing clickjacking is on the website of OWASP: <a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Clickjacking_Defense_Cheat_Sheet.html\" target=\"_blank\" rel=\"noopener\">https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Clickjacking_Defense_Cheat_Sheet.html<\/a><\/p>\n<h3 id=\"tw-target-text\" class=\"tw-data-text tw-text-large XcVN5d tw-ta\" dir=\"ltr\" data-placeholder=\"Vertaling\">Resume<\/h3>\n<p class=\"tw-data-text tw-text-large XcVN5d tw-ta\" dir=\"ltr\" data-placeholder=\"Vertaling\">If your website is not configured properly, other websites can load it. If users are able to log in to your website and are logged in, they can become victims of clickjacking. To avoid this you can:<\/p>\n<ul>\n<li class=\"tw-data-text tw-text-large XcVN5d tw-ta\" dir=\"ltr\" data-placeholder=\"Vertaling\">Send the CSP header<\/li>\n<li class=\"tw-data-text tw-text-large XcVN5d tw-ta\" dir=\"ltr\" data-placeholder=\"Vertaling\">Prevent users from being logged in for a long time, e.g. log them out automatically after 2 hours of inactivity<\/li>\n<li class=\"tw-data-text tw-text-large XcVN5d tw-ta\" dir=\"ltr\" data-placeholder=\"Vertaling\">Extra protection for sensitive<span style=\"font-size: 16px;\">\u00a0functions such as changing a password, for example by asking for the current password <\/span><\/li>\n<\/ul>\n<p class=\"tw-data-text tw-text-large XcVN5d tw-ta\" dir=\"ltr\" data-placeholder=\"Vertaling\"><span style=\"font-size: 16px;\">Do you want to test whether your website is vulnerable to clickjacking? Our <a href=\"https:\/\/cyberantcom.wpengine.com\/quickscan\/\" target=\"_blank\" rel=\"noopener\">Quickscan<\/a> checks whether your website is vulnerable to clickjacking.<\/span><\/p>\n<div class=\"text-center\"><\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":11,"featured_media":1573,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[195,216],"tags":[199,182,183,197,191,185,192,193,188],"class_list":["post-47610","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacken","category-knowledge-base","tag-clickjacking-en","tag-cyber-security-en","tag-cyberaanval-en","tag-cybercriminelen-en","tag-etisch-hacker-en","tag-hacker-en","tag-owasp-en","tag-penetration-test-en","tag-vulnerability-management-en"],"_links":{"self":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/47610","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/comments?post=47610"}],"version-history":[{"count":0,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/posts\/47610\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media\/1573"}],"wp:attachment":[{"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/media?parent=47610"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/categories?post=47610"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberant.com\/en\/wp-json\/wp\/v2\/tags?post=47610"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}