Clickjacking

What is Clickjacking

Clickjacking is a type of malicious technique used by attackers to trick users into clicking on something they didn't intend to click on. It involves overlaying or hiding a malicious element on top of a legitimate website or web page. When the user interacts with the visible content, they unknowingly trigger an action on the hidden element, which can have unintended and harmful consequences.

Here is how clickjacking works:

The attacker creates a webpage or finds a vulnerable website that can be used for clickjacking.
The attacker then overlays or positions a transparent or opaque layer on top of the website, making it invisible or barely noticeable to the user.
The attacker entices the user to visit the compromised webpage or the vulnerable website, often through social engineering or misleading links.
When the user interacts with the visible content on the webpage, such as clicking a button, they are actually interacting with the hidden element underneath.
The hidden element could be anything from a malicious link, a hidden advertisement, a social media action, or even executing unintended commands on the user's behalf.
Since the user is unaware of the hidden element, they unknowingly perform actions they didn't intend to, potentially leading to various security risks or unauthorized activities.

Clickjacking attacks can be used for several malicious purposes, including stealing sensitive information, hijacking social media accounts, spreading malware, or even performing financial transactions without the user's consent.

Clickjacking PoC

<!DOCTYPE html>
<html>
<head>
<title>Clickjacking PoC</title>
</head>
<body>
<iframe src="http://TARGET/" width=100% height=100% style=”opacity: 0.5;”></iframe>
</body>
</html>

How to report it

Note: Here is an example on how to report it, CVSS score is here as a reference but you should always check out the context of your customer to calculate it

## CVSS

cvss_vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

## Description

An *iFrame* is a component of an HTML element that allows documents, videos and interactive media to be embedded in a page. By doing so, it is possible to display a secondary Web page on the main page.
The *iFrame* element allows you to include a piece of content from other sources. It can embed the content anywhere on the page, without having to include it in the structure of the Web layout, like a traditional element.
However, *iFrames* should be used securely as they can be a security risk.

## Affected elements

PUT THE AFFECTED ELEMENT(S) HERE

## Evidence

- HTML Code of the PoC
PUT THE HTML POC HERE

- Screen capture of the Application in an Iframe
PUT YOUR SCREEN HERE

## Remediation

There are two main ways to prevent clickjacking:

1. Send the correct *Content Security Policy* (CSP) *frame-ancestors* response headers that tell the browser not to allow framing from other domains. (This directive replaces the old HTTP X-Frame-Options headers).
2. Use of defensive code in the user interface to ensure that the current *frame* is the highest level window.

## Reference

- [OWASP - Clickjacking defense](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)

Resources

PreviousVunerabilities and attacks NextCORS (Misconfigurations)

Last updated 1 year ago

What is Clickjacking

Here is how clickjacking works:

The attacker creates a webpage or finds a vulnerable website that can be used for clickjacking.

The attacker then overlays or positions a transparent or opaque layer on top of the website, making it invisible or barely noticeable to the user.

The attacker entices the user to visit the compromised webpage or the vulnerable website, often through social engineering or misleading links.

When the user interacts with the visible content on the webpage, such as clicking a button, they are actually interacting with the hidden element underneath.

The hidden element could be anything from a malicious link, a hidden advertisement, a social media action, or even executing unintended commands on the user's behalf.

Since the user is unaware of the hidden element, they unknowingly perform actions they didn't intend to, potentially leading to various security risks or unauthorized activities.

How to report it

Note: Here is an example on how to report it, CVSS score is here as a reference but you should always check out the context of your customer to calculate it

## CVSS

cvss_vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

## Description

An *iFrame* is a component of an HTML element that allows documents, videos and interactive media to be embedded in a page. By doing so, it is possible to display a secondary Web page on the main page.
The *iFrame* element allows you to include a piece of content from other sources. It can embed the content anywhere on the page, without having to include it in the structure of the Web layout, like a traditional element.
However, *iFrames* should be used securely as they can be a security risk.

## Affected elements

PUT THE AFFECTED ELEMENT(S) HERE

## Evidence

- HTML Code of the PoC
PUT THE HTML POC HERE

- Screen capture of the Application in an Iframe
PUT YOUR SCREEN HERE

## Remediation

There are two main ways to prevent clickjacking:

1. Send the correct *Content Security Policy* (CSP) *frame-ancestors* response headers that tell the browser not to allow framing from other domains. (This directive replaces the old HTTP X-Frame-Options headers).
2. Use of defensive code in the user interface to ensure that the current *frame* is the highest level window.

## Reference

- [OWASP - Clickjacking defense](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html)