What Is Clickjacking?
Users are tricked into believing they are clicking on one thing when they are actually clicking on another by an attack known as clickjacking. User interface (UI) redressing, which is its other name, more accurately captures the situation. Users believe they are interacting with a web page’s standard user interface (UI), but in reality, a hidden UI is in charge; in other words, the UI has been altered. The concealed UI does a separate operation when users click something they believe to be secure.
An attacker deceives a user into clicking on a button or link on a different page when they intend to click on the top-level page by using numerous transparent or opaque layers. By “hijacking” clicks intended for their page and diverting them to another page, most likely owned by another application, domain, or both, the attacker is “hijacking” clicks intended for their page.
Keystrokes can likewise be taken over using a similar method. A user can be fooled into believing they are entering the password to their email or bank account when they are actually typing into an invisible frame under the attacker’s control using a skillfully constructed combination of stylesheets, iframes, and text boxes.
Additionally, keep in mind that clickjacking involves more than simply mouse clicks. An attacker might trick an unwary user into thinking they are putting their password into their online banking site when in reality they are typing it into a site controlled by the attacker using a mix of stylesheets, text boxes, and iframes.
The attacker’s script can work behind the scenes to make it appear as though nothing is wrong. This makes a range of malicious actions possible, including:
-
Installing malware
-
Stealing credentials
-
Activating your webcam or microphone
-
Making unsolicited purchases
-
Authorizing money transfers
Types of Clickjacking Attacks
Likejacking
The goal of this sort of attack is to capture user clicks and send them to “likes” on Facebook pages or other social media platforms.
Cookiejacking
In this instance, the user is persuaded to interact with a user interface element, such as via dragging and dropping and to give the attacker access to cookies kept on their browser. By doing so, the attacker could be able to act on behalf of the user on the target website.
Filejacking
With this type of attack, the user allows the attacker to access their local file system and take files.
Cursorjacking
By using this method, the pointer is moved from where the user sees it to a different location. In this manner, the user deceives themselves into performing one action while they are actually performing another.
Safeguarding oneself against Clickjacking
-
Sending the appropriate response headers for the CSP frame-ancestors directive, which tells the browser to block framing from other domains. In order to support legacy browsers and smooth degradability, the older X-Frame-Options HTTP headers are utilized.
-
Authentication cookies should be set properly with SameSite=Strict
