What is Clickjacking?
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
Clickjacking attack allows to perform an action on victim website, Mostly Facebook and Twitter accounts are targetable.
when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top
level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both. It may be similar to CSRF Cross Site Request Forgeries Attack.
Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in
2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.
Ex:-
- Tricking users into enabling their web-cam and microphone through Flash (though this has been fixed since originally reported).
- Tricking users into making their social networking profile information public.
- Downloading and running a malware (malicious software) allowing to a remote attacker to take control of others computers.
- Making users follow someone on Twitter.
- Sharing or liking links on Facebook.
- Getting likes on Facebook fan page or on Google+.
How to prevent?
Client side
- NoScript : This is an add-one designed for Mozilla Firefox. This can protect against clickjacking
- GuarderID : This is a commercial product designed for preventing clickjacking. Can be used in Explorer and Firefox.
- Gazelle : A Microsoft Research project secure web browser based on IE, that uses an OS-like security model, and has its own limited defenses against clickjacking.
Server side
- X-frame options : Introduced in 2009 in Internet Explorer 8 was a new HTTP header
X-Frame-Options
which offered a partial protection against clickjacking and was shortly after adopted by other browser.
- Framekiller : A JavaScript snippet that can be used in servers to prevent from clickjacking.
References : https://en.wikipedia.org/wiki/Clickjacking
No comments:
Post a Comment