What is ClickJacking? Demo How Users can be Affected Similarities with another Attack How to protect Web Application How to Identify Exploitable Web Application How to test Applications Previous ClickJacking Attacks Summary
Discovered in 2008-Robert Hansen, Jeremiah Grossman as a way to perform cross-domain attacks by ‘hijacking user- initiated mouse clicks to perform actions that the user did not intend. Attacker will choose a clickable region on a website that the user is currently authenticated on (e.g. a ‘Submit’ button that will perform a particular action). To perform the attack, a malicious website will load a page from the website inside an iFrame made fully transparent and layered on top of another element on the site.
Previously Stated: ClickJacking is one of the more under rated attacks facing modern Web applications. This is one reason it doesn’t find a mention in the OWASP Top 10 list so far but it is predicted to feature in the next version.
A web page can embed another web page via iframe <iframe src="http://bing.com"></iframe>CSS opacity attribute: 1 = visible, 0 = invisible
Putting an evil invisible link on top of a legit visible link,
Users can be tricked into clicking on obscured user interface elements of an application and in so doing initiate actions against their will, Such as; Adding an attacker to a victim’s social graph Promoting the attacker’s content on a social network Sending a payment to the attacker Compromising the user’s session to impersonate the victim user on the application Tricking the user into submitting sensitive credential information Performing a privileged action on behalf of the user (Create or Delete accounts, etc..)
Both want to trick the victim into requesting something that the attacker wants. But ClickJacking allows them to CSRF a page that actually requires a manual click. ClickJacking allows an attacker to bypass CSRF protections put in place by a website. The user is tricked into submitting a form directly from the website itself, so there is no need for the attacker to know hidden or secret values in the form, such as CSRF tokens.
X-Frame-OptionBrowser vendors are now implementing declarativemethods such as X-Frame-Options3, first introduced byMicrosoft in Internet Explorer 8.Web browsers that support this security feature willprevent a web page being displayed in an iFrame if theX-Frame-Options header is set by the page.
Add X-Frame-Options on HTTP Response header Allows an application to specify whether or not specific pages of the site can be framed. Option 1: DENY HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “DENY”); This option means the page can never be framed by any page, including a page with the same origin. Option 2: SAMEORIGIN HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “SAMEORIGIN”); This option means the page can be framed, but only by another page with the same origin Option 3: Allow-From HttpServletResponse response …; response.addHeader(“X-FRAME-OPTIONS”, “Allow-From https://some.othersite.com”); This option means the page can be framed, but only by the specified origin.
Important for Developers too add the X-Frame- Options Header Server Side as many users still use old browsers, leaving them at risk from ClickJacking. Namely IE6 and IE7 don’t know about this header.
OWASP ZAP’s 126.96.36.199 Active Scan Alerts the user to this issue if the X-Frame-Option header is missing . Also the Tester can capture the Response to verify Manually.
Twitter Exploit: Force twitter users to post a messageFacebook Exploit: Force users toAdvertising and Affiliate Networks Force users to click on ads for $$$ CYBER CRIME CASH $$$Adobe Flash Adjust the privacy settings to turn on the camera and microphone