Lets know about clickjacking which is nowdays a big challenge for security experts and due to this unsecure website are attacked and frauds are done.
Clickjacking attacks are conducted by transparently overlaying some benign web element with some other function, input field, button etc. The objective is to misdirection the user’s actions to have them do something they hadn’t intended to do, usually as they interact with a legitimate website. According to security researcher Robert Hanson “there are multiple variants of clickjacking. Some of it requires cross-domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them. That's why we had to come up with a new term for it - like the term or not.”
Examples
Clickjacking attacks can be executed in a number of interesting ways, so any one example will only touch the tip of what is possible with this type of attack. By way of an example, a clickjacker can take a login button from one site and hide it under a different element on an invisible page that when clicked could initiate malicious code. It is also possible for an attacker to trick a flash game player to click a seemingly innocent button that could grant site access to the computer's webcam and microphone.
Preventing Attacks
There are in fact a number of security vulnerabilities that are exploited using clickjacking. They range from Adobe Flash vulnerabilities to ActiveX control options. This kind of attack can be difficult to police because the browser often sees the clickjacking attacks as authorized requests from the user, thus opening the way for all sorts of malicious actions to be executed through the victim's browser and other software such as Adobe Flash. While there are some steps that users can take to protect themselves, the most effective security measures will have to be done on the back-end, especially considering that the most effective solution will limit and impede a website’s functionality. Here are some ways to protect yourself against these attacks:
Hi kishorilal,
Make a consolidated article
Good and helpfull Artical :)
thanks for the info.
Good info :
Nice article.............!
Thanks for sharing , Nice article found. please provide more.
nice article but why have you split it into two. Instead of adding half information in the comment you can edit the article and consolidate the prevention part with the rest of the article.
Yah Bobbee,
Below i m attaching some snapshots which you can see ho the clickjacking is actully works.I hope you understand with below pictures.
Thanks
Kishorilal
Thanks Albert for your appreciation, will updates you more on this.
Regards
Hi kishor,
here i found that you have commented but i think this might be article.
Hi Avkash,
I thought that this is already the topic on which i had written so i should add on. But still i will try to make complete article on this diffrently.
Thanks all.
I would recommend you to write down article on this.
This can helpfull for the all.
Thanks for the share~~~~~
Hi All of U,
Thanks for your appreciation and suggestion on this , I am also providing you more details on how to Prevent Click jacking Attacks ?
Block Scripts from the Browser
The most likely scenario is that your users will become clickjacking victims during their normal Web activities. One way to reduce risk is to evaluate and install browser plugins such as NoScript and NotScript, which prompt users to allow javascript actions on sites they visit, as well as specify trusted domains.
Internet Explorer
Internet Explorer 8 and above have some safeguards in place that allow web developers to prevent unauthorized overlays on their web sites. This means that the web developer can protect their own pages from malicious code overlays that could occur from embedded ads or other content.
Firefox
Install the NoScript plugins for Firefox. NoScript will prevent all Flash movies from playing whenever you visit a site NoScript, by way of blocking all Flash content, will automatically block Flash ads -- you know, NoScript is only available for Firefox for the time being,
NoScript
NoScript blocks JavaScript, Java, Flash, Silverlight, and other "active" content by default in Firefox. This is based on the assumption that malicious web sites can use these technologies in harmful ways. Users can allow active content to execute on trusted web sites
Framekiller
(or framebuster or framebreaker) is a piece of JavaScriptcode that doesn't allow a Web pageto be displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. This kind of script is often used to prevent a frame from an external Web site being loaded from within a frameset without permission.
The typical source code for a framekiller script is:
<script type="text/javascript">
if(top != self) top.location.replace(location);
</script>
Some examples are:
1.Javascript - By using Javascript this attack becomes easier to deploy. This is since the original UI can be further manipulated in ways that are not possible when using only HTML. For example, the attacker can move the embedded Web page within respect to the browser window so that a specific button will be always under the user’s mouse cursor.
2.Flash - The clickjacking vulnerability in Adobe Flash Player has even further implications since attackers can gain access to attached hardware such as Web cameras and microphones.
Thanks for the share
Just like to update all, when we use Mozilla Firefox and use one add-on called -"No Script", this could be prevented upto large extent. This could be just one precautionary measure. There are many ways clickjacking can be achieved.
Thanks for the share!!