ClickJacking Attack - ties2/web-pentest GitHub Wiki

Clickjacking, also known as a UI redress attack, is a type of web-based attack that is designed to trick users into performing actions that they do not intend to perform. In a clickjacking attack, an attacker overlays a hidden or disguised element, such as a button or link, on top of a legitimate element on a target website. When the user clicks on the legitimate element, they are actually clicking on the hidden or disguised element, which may cause them to perform an unintended action.

Clickjacking attacks can be used for a variety of purposes, including stealing sensitive information, spreading malware, or manipulating user behavior. Some common examples of clickjacking attacks include:

Clickjacked "Like" buttons on social media sites: An attacker may create a hidden or disguised "like" button on a social media site, such as Facebook or Twitter. When a user clicks on the button, they may unwittingly "like" a malicious link or post, which can then be shared with their friends and followers.

Phishing attacks: An attacker may create a fake login page for a legitimate website, such as a banking or email site. The fake page may be overlaid with a hidden or disguised element that captures the user's login credentials when they attempt to log in.

Malware distribution: An attacker may create a fake download button on a website that is overlaid with a hidden or disguised element that triggers the download of malware onto the user's computer.

Advertising fraud: An attacker may create a hidden or disguised element on a website that causes the user to click on an advertisement without realizing it, generating revenue for the attacker.

There are several different types of clickjacking attacks that an attacker may use, depending on the specific target and the desired outcome. Some common types of clickjacking attacks include:

UI redress attacks: This type of clickjacking attack involves overlaying a hidden or disguised element on top of a legitimate element on a website. For example, an attacker may create a fake "Submit" button that is overlaid on top of a legitimate button on a form. When the user clicks on the fake button, they are actually submitting the form data to the attacker's server.

Cursorjacking attacks: This type of clickjacking attack involves manipulating the user's cursor to click on hidden or disguised elements on a web page. For example, an attacker may create a fake button that follows the user's cursor as they move it around the screen. When the user clicks on the button, they are actually clicking on a hidden element on the page.

Tapjacking attacks: This type of clickjacking attack targets mobile devices, such as smartphones or tablets, by tricking the user into tapping on a hidden or disguised element on a touchscreen. For example, an attacker may create a fake button that is overlaid on top of a legitimate button on a mobile app. When the user taps on the fake button, they are actually tapping on the legitimate button, but the attacker is able to capture their login credentials.

To protect against clickjacking attacks, web developers can use a variety of techniques, including:

Using the X-Frame-Options header to prevent their web pages from being embedded in iframes on other sites. This can prevent attackers from overlaying hidden or disguised elements on top of the page.

Implementing a frame-busting script to prevent their web pages from being framed on other sites. This can prevent attackers from embedding their page in a frame and overlaying hidden or disguised elements on top of it.

Using the Content Security Policy (CSP) to limit the types of content that can be embedded on their web pages. This can prevent attackers from embedding malicious content, such as iframes or scripts, on the page.

here is a cheat sheet on clickjacking attacks:

What is Clickjacking?

Clickjacking is a type of web-based attack that tricks users into clicking on a hidden or disguised element on a website.

Common Examples of Clickjacking Attacks:

  • Clickjacked "Like" buttons on social media sites
  • Phishing attacks
  • Malware distribution
  • Advertising fraud

Types of Clickjacking Attacks:

  • UI redress attacks
  • Cursorjacking attacks
  • Tapjacking attacks

Preventing Clickjacking Attacks:

Use X-Frame-Options header to prevent web pages from being embedded in an iframe and restrict clickjacking attacks

  • Using the X-Frame-Options header
  • Implementing a frame-busting script
  • Using the Content Security Policy (CSP)