As we all know, attackers use many different methods to redirect victims to their websites and collect their personal data. And when webmasters think about protecting their site, they often overlook clickjacking.
What is clickjacking?
Clickjacking is a fraudulent technique that attackers use to gain access to confidential information or the victim’s computer, luring her to an apparently harmless site. Usually, attackers implement clickjacking by applying an invisible layer with their page on top of a legitimate site. In this case, the control element (button, link) required to perform the required action is combined with a visible link or button that is expected to be clicked by the user. As a result, an unsuspecting victim can imperceptibly subscribe to a social network or “like” any record. In addition, attackers can trick the user into believing that he is entering a password into a regular authorization field, while in fact he is entering his credentials on an invisible fraudster’s site.
Classic clickjacking
Most often, attackers overlay their malicious pages on top of legitimate pages. There are several ways to implement this:
Invisible frames: The attacker creates an invisible 1×1 frame that prevents the user from seeing the content. The target element of an invisible frame, such as a button on a website, is centered under the victim’s cursor, which makes it easy to deceive the user and forces him to click on malicious content;
Pointer events: A floating div is created that completely covers the target user interface element. The CSS property pointer-events is set to ‘none’ for the target element, which causes clicks to pass through it, registering them on the attacker’s invisible frame.;
Transparent overlays: The attacker overlays a transparent window over the element that the user clicks on. The victim does not see a transparent window and believes that he is clicking on a regular button or link.
More exotic methods of clickjacking attacks
These options are used less often than the classic transparent page overlay:
Quick content replacement. In this attack, attackers use blurred overlays that cover the target elements on the web page. The action is performed almost instantly (in milliseconds) right before the victim interacts with the web page. This method requires the attacker to predict the click time;
Ghost mouse cursors. Using a floating div, an attacker can create an additional mouse cursor and set it at a fixed distance from the victim’s real mouse pointer. Then the hacker arranges the page so that the fake cursor is more visible and places an element on it that the victim should click on.
How to check if your site is vulnerable to a clickjacking attack
It’s simple – create an HTML page and try to insert one of your web pages into its frame. If it worked out, then you should think about protecting your site from a clickjacking attack.
How to protect yourself from clickjacking?
Knowing what clickjacking is and what types of this attack exist, we can consider some methods of protection:
Use the X-Frame-Options header. It can allow or prohibit the display of the page inside the frame. To protect against clickjacking, you need one of two values – DENY (more secure) and SAMEORIGIN;
Use the Content Security Policy (CSP, content Protection Policy) – a security mechanism that describes secure sources for loading resources, sets rules for using embedded styles, scripts, as well as dynamic JavaScript evaluation;
Framebusting. This is the oldest and most unreliable method of protection against a clickjacking attack, simply prohibiting the opening of a page in a frame;
Set the samesite attribute to Strict. Samesite is a cookie attribute that can help avoid a clickjacking attack. If samesite = Strict, the cookie will be sent to the site only if it is opened directly, not through a frame or in any other way. Remember: this method of protection is effective only if you use cookies to authorize users.
Summing up the results
As you understand, it is very easy for attackers to carry out clickjacking attacks that allow them to intercept any actions on your site. To reduce the risk of such attacks, just check your website and use our protection tips.