Identification of Clickjacking

Clickjacking, also known as a "UI redress attack," is a malicious technique where an attacker tricks a user into clicking on something different than what the user perceives, essentially hijacking the clicks of the user. This can result in unauthorized actions being performed on behalf of the user. Identifying clickjacking vulnerabilities involves understanding how an application responds to being embedded in a frame or iframe. Here's how a penetration tester might identify clickjacking vulnerabilities:

Steps for Identification

  1. Check for Frame Busting Code: Inspect the application for frame busting scripts. These scripts prevent the website from being rendered within a frame or iframe. Lack of such scripts or headers can indicate a vulnerability.
  2. Examine X-Frame-Options Header: The HTTP response headers should be inspected to check for the X-Frame-Options header. This header can prevent the page from being displayed in a frame, iframe, or object. If this header is missing or misconfigured, the application may be vulnerable to clickjacking.
  3. Content-Security-Policy (CSP) Evaluation: Check if the Content-Security-Policy header is set to disallow framing. CSP can be used to ensure that your webpage only gets embedded where you allow it.
  4. Manual Testing: Create a malicious HTML page that frames the target application. If you can interact with the application through the frame, it may be vulnerable to clickjacking.

<!DOCTYPE html> <html> <head> <title>Clickjacking Test Page</title> <style> iframe { width: 500px; height: 500px; opacity: 0.7; position: absolute; top: 50px; left: 50px; } </style> </head> <body> <h1>This is a clickjacking test page</h1> <p>If you can see the target website below and interact with it, then the site may be vulnerable to clickjacking.</p> <iframe src="http://example.com" title="Test iframe"></iframe> </body> </html>

  1. Automated Scanning Tools: Use automated tools that can scan for the absence of anti-clickjacking measures like X-Frame-Options or relevant CSP settings.

Examples of Clickjacking Attacks

  1. Likejacking: Embedding a social media "like" button invisibly on a malicious webpage. When users click what they think is a legitimate button, they inadvertently "like" something on the embedded social media platform.
  2. Credential Harvesting: Overlaying a login form on a webpage in a transparent frame, tricking users into entering their credentials.
  3. Transaction Interception: Tricking users into making transactions or changing settings on their accounts without their knowledge.

Implications of Clickjacking

  • Unauthorized Actions: Users can be tricked into performing actions they didn't intend to, such as posting on social media, making purchases, or changing account settings.
  • Data Theft: Clickjacking can be used to steal sensitive information by overlaying input fields on top of seemingly benign web pages.

Mitigation Strategies

  • Use X-Frame-Options Header: Implement the X-Frame-Options header with values like DENY or SAMEORIGIN to control if a browser should allow your page to be framed.
  • Implement Content Security Policy: Use CSP to specify which domains can embed your pages in frames.
  • Regular Testing: Regularly test your applications for clickjacking vulnerabilities, especially after updates or new feature releases.
  • Client-Side Protections: While client-side protections can be bypassed, they can still provide an additional layer of security. This includes using JavaScript to prevent framing or to ensure that the page is the topmost window.

Identifying and mitigating clickjacking vulnerabilities is essential for protecting users from deceptive techniques that could compromise their security and privacy while interacting with web applications.