Clickjacking
With the advent of internet, today almost 90% of people are prone to using web for each and every thing. Using internet has become a trend in market and after launch of smart phones this has become basic necessity for every second person. But growing need of World Wide Web leads to many security concerns, “Clickjacking” is one of the concerns which if detected in an application may lead to major loss to business.
Clickjacking (also called as “UI Redress Attack” , Missing Cross Frame Scripting Protection) is a client side attack where end user is trick into clicking critical link in the application. It is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. To achieve this hackers use iframe with zero transparency.
To get complete idea let’s take an example:
Attacker craft a page in which he uses the vulnerable website as a src to Iframe:
Iframes can be kept transparent so that they will be invisible to end user.
PFB screenshot of the crafted page:
Here you can see, the page includes an offer to win an IPAD. But as seen below it contains an iframe :
When end user clicks on the WIN IPAD button, he actually clicks on transfer Money Button in the application. In this way attacker forges victim to click on critical activity in the application.
This is one of the critical vulnerability. In this way attackers can easily force end users to perform critical activities like delete records, edit, transfer money, etc.
How to test if an application is vulnerable to clickjacking attack
- Clickjacking can be easily detected using Chrome add-on “Clickjacking Test”
2. Also , testers can check for presence of X-Frame Options in application’s response:
Mitigation:
Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains i.e. setting the X-Frame Options to SAMEORIGIN.
Mighty Tricks Infosec 