Video Screencast Help

A short information on Clickjacking attacks

Created: 27 Jan 2012 • Updated: 16 Feb 2012 | 19 comments
Language Translations
kishorilal1986's picture
+14 14 Votes
Login to vote

Lets know about clickjacking which is nowdays a big challenge for security experts and due to this unsecure website are attacked and frauds are done.

Clickjacking attacks are conducted by transparently overlaying some benign web element with some other function, input field, button etc. The objective is to misdirection the user’s actions to have them do something they hadn’t intended to do, usually as they interact with a legitimate website. According to security researcher Robert Hanson “there are multiple variants of clickjacking. Some of it requires cross-domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them. That's why we had to come up with a new term for it - like the term or not.”

 

Examples

Clickjacking attacks can be executed in a number of interesting ways, so any one example will only touch the tip of what is possible with this type of attack. By way of an example, a clickjacker can take a login button from one site and hide it under a different element on an invisible page that when clicked could initiate malicious code. It is also possible for an attacker to trick a flash game player to click a seemingly innocent button that could grant site access to the computer's webcam and microphone.

 

Preventing Attacks

There are in fact a number of security vulnerabilities that are exploited using clickjacking. They range from Adobe Flash vulnerabilities to ActiveX control options. This kind of attack can be difficult to police because the browser often sees the clickjacking attacks as authorized requests from the user, thus opening the way for all sorts of malicious actions to be executed through the victim's browser and other software such as Adobe Flash. While there are some steps that users can take to protect themselves, the most effective security measures will have to be done on the back-end, especially considering that the most effective solution will limit and impede a website’s functionality. Here are some ways to protect yourself against these attacks:

Comments 19 CommentsJump to latest comment

Avkash K's picture

Thanks for the share!!

Regards,

Avkash K

+1
Login to vote
AR Sharma's picture

Just like to update all, when we use Mozilla Firefox and use one add-on called -"No Script", this could be prevented upto large extent. This could be just one precautionary measure. There are many ways clickjacking can be achieved.

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

+2
Login to vote
Milan_T's picture

Thanks for the share

+3
Login to vote
kishorilal1986's picture

Some examples are:

 

1.Javascript - By using Javascript this attack becomes easier to deploy. This is since the original UI can be further manipulated in ways that are not possible when using only HTML. For example, the attacker can move the embedded Web page within respect to the browser window so that a specific button will be always under the user’s mouse cursor.

2.Flash - The clickjacking vulnerability in Adobe Flash Player has even further implications since attackers can gain access to attached hardware such as Web cameras and microphones.

+3
Login to vote
kishorilal1986's picture

Hi All of U,

Thanks for your appreciation and suggestion on this , I am also providing you more details on how to Prevent Click jacking Attacks ?

Block Scripts from the Browser 

The most likely scenario is that your users will become clickjacking victims during their normal Web activities. One way to reduce risk is to evaluate and install browser plugins such as NoScript and NotScript, which prompt users to allow javascript actions on sites they visit, as well as specify trusted domains. 

Internet Explorer

Internet Explorer 8 and above have some safeguards in place that allow web developers to prevent unauthorized overlays on their web sites. This means that the web developer can protect their own pages from malicious code overlays that could occur from embedded ads or other content.

Firefox

Install the NoScript plugins for Firefox. NoScript will prevent all Flash movies from playing whenever you visit a site NoScript, by way of blocking all Flash content, will automatically block Flash ads -- you know, NoScript is only available for Firefox for the time being,

NoScript

NoScript blocks JavaScript, Java, Flash, Silverlight, and other "active" content by default in Firefox. This is based on the assumption that malicious web sites can use these technologies in harmful ways. Users can allow active content to execute on trusted web sites  

Framekiller

(or framebuster or framebreaker) is a piece of JavaScriptcode that doesn't allow a Web pageto be displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. This kind of script is often used to prevent a frame from an external Web site being loaded from within a frameset without permission.

The typical source code for a framekiller script is:

<script type="text/javascript">

  if(top != self) top.location.replace(location);

</script> 

+5
Login to vote
Avkash K's picture

I would recommend you to write down article on this.

This can helpfull for the all.

Regards,

Avkash K

+2
Login to vote
kishorilal1986's picture

Hi Avkash,

 

I thought that this is already the topic on which i had written so i should add on. But still i will try to make complete article on this diffrently.

 

Thanks all.

Kishorilal

+1
Login to vote
AlbertL's picture

Thanks for the share~~~~~

Albert L

+1
Login to vote
kishorilal1986's picture

Thanks Albert for your appreciation, will updates you more on this.

Regards

Kishorilal

+1
Login to vote
Milan_T's picture

Hi kishor,

here i found that you have commented but i think this might be article.

0
Login to vote
BobBee's picture

Can we get a working "non harmful" example page setup so all can see in action a clickjacking event? Reason:
1) Show it working in a "real life" environment or situation.
2) Check if security measures put in place are working (for at least the example).

0
Login to vote
kishorilal1986's picture

Yah Bobbee,

Below i m attaching some snapshots which you can see ho the clickjacking is actully works.I hope you understand with below pictures.

 

Thanks

Kishorilal

dia_clickjacking_attack.jpg 182201261915.jpg
+1
Login to vote
Tariq Naik's picture

nice article but why have you split it into two. Instead of adding half information in the comment you can edit the article and consolidate the prevention part with the rest of the article.

+1
Login to vote
avi.gawari's picture

Thanks for sharing , Nice article found. please provide more.

0
Login to vote
DADASAHEB's picture

Nice article.............!

 

0
Login to vote
W007's picture

Good info :

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

0
Login to vote
zafar1907's picture

thanks for the info.

Thanks and Regards,

Mohammad zafar

Please Mark as solution if this comment solved your Issue....

0
Login to vote
visible_sol's picture

Good and helpfull Artical :)

0
Login to vote
zafar1907's picture

Hi kishorilal,

Make a consolidated article

Thanks and Regards,

Mohammad zafar

Please Mark as solution if this comment solved your Issue....

0
Login to vote