Clickjacking is an attack where a user is tricked into clicking on obscured elements on a website. Attackers can embed a target site in an invisible iframe to trick users into performing actions like posting messages without their consent. Adding the X-Frame-Options header is an effective defense, but many older browsers and sites remain vulnerable. Clickjacking remains a risk because client-side defenses can be bypassed and many sites have not implemented the server-side X-Frame-Options header.

2.  What is ClickJacking?
 Demo
 How Users can be Affected
 Similarities with another Attack
 How to protect Web Application
 How to Identify Exploitable Web Application
 How to test Applications
 Previous ClickJacking Attacks
 Summary

3.  Discovered in 2008-Robert Hansen, Jeremiah Grossman as
a way to perform cross-domain attacks by ‘hijacking 'user-
initiated mouse clicks to perform actions that the user did
not intend.
 Attacker will choose a clickable region on a website that the
user is currently authenticated on (e.g. a ‘Submit’ button
that will perform a particular action).
 To perform the attack, a malicious website will load a page
from the website inside an iFrame made fully transparent
and layered on top of another element on the site.

4.  Previously Stated: ClickJacking is one of the
more under rated attacks facing modern Web
applications.
 This is one reason it doesn’t find a mention in the
OWASP Top 10 list so far but it is predicted to
feature in the next version.

5. A web page can embed another web page via iframe
<iframe src="http://bing.com"></iframe>
CSS opacity attribute: 1 = visible, 0 = invisible

6.  Putting an evil invisible link on top of a legit visible link,

7.  http://playground.nebulassolutions.com/framer.html
 http://playground.nebulassolutions.com/index.php?p
age=framing.php

8.  Opacity iFrame invisible

9.  Opacity set too 0

10.  Users can be tricked into clicking on obscured user
interface elements of an application and in so doing initiate
actions against their will,
Such as;
 Adding an attacker to a victim’s social graph
 Promoting the attacker’s content on a social network
 Sending a payment to the attacker
 Compromising the user’s session to impersonate the
victim user on the application
 Tricking the user into submitting sensitive credential
information
 Performing a privileged action on behalf of the user
(Create or Delete accounts, etc..)

17.  Both want to trick the victim into requesting something
that the attacker wants.
 But ClickJacking allows them to CSRF a page that actually
requires a manual click.
 ClickJacking allows an attacker to bypass CSRF protections
put in place by a website.
 The user is tricked into submitting a form directly
from the website itself, so there is no need for the
attacker to know hidden or secret values in the
form, such as CSRF tokens.

18. Frame Busting
 A page using this method will detect that is has been
framed by another web site, and attempt to load itself in
place of the site that is framing it (thus ‘busting out’ of the
frame).
Common Frame Busting Code
<script type="text/javascript">
if (top != self) { //condition
top.location = self.location; //counter
action }
</script>
 However, a malicious site may try to use the onunload and
onbeforeunload page events to prevent a framed site from
navigating to a different URL.
 Also JavaScript can be easily Disabled.

20. X-Frame-Option
Browser vendors are now implementing declarative
methods such as X-Frame-Options3, first introduced by
Microsoft in Internet Explorer 8.
Web browsers that support this security feature will
prevent a web page being displayed in an iFrame if the
X-Frame-Options header is set by the page.

21. Add X-Frame-Options on HTTP Response header
 Allows an application to specify whether or not
specific pages of the site can be framed.
 Option 1: DENY
HttpServletResponse response …;
response.addHeader(“X-FRAME-OPTIONS”, “DENY”);
 This option means the page can never be framed by any
page, including a page with the same origin.
 Option 2: SAMEORIGIN
HttpServletResponse response …;
response.addHeader(“X-FRAME-OPTIONS”, “SAMEORIGIN”);
 This option means the page can be framed, but only by another page
with the same origin
 Option 3: Allow-From
HttpServletResponse response …;
response.addHeader(“X-FRAME-OPTIONS”, “Allow-From https://some.othersite.com”);
 This option means the page can be framed, but only by the specified
origin.

22.  Important for Developers too add the X-Frame-
Options Header Server Side as many users still use
old browsers, leaving them at risk from ClickJacking.
 Namely IE6 and IE7 don’t know about this header.

23.  OWASP ZAP’s 1.4.0.1 Active Scan
Alerts the user to this issue if the
X-Frame-Option header is
missing .
 Also the Tester can capture the
Response to verify Manually.

24. Twitter
 Exploit: Force twitter users to post a message
Facebook
 Exploit: Force users to
Advertising and Affiliate Networks
 Force users to click on ads for $$$ CYBER CRIME CASH
$$$
Adobe Flash
 Adjust the privacy settings to turn on the camera and
microphone

25.  Attackers can trick victim browsers into clicking on things in victim
websites by putting that website in a transparent iframe.
 We harden our sites through adding a new Response Header ‘X-Frame-
Options’.
 Many users still use old browsers, leaving them at risk from
ClickJacking.
 Also any client side validation with JavaScript is easily
turned off.
The good news
 ClickJacking is simple to prevent.
The bad news
 The vulnerability is powerful and prevalent.
 Many web applications have ClickJacking vulnerabilities.