tips

SecurityTrails Blog · Jan 28 · by Esteban Borges

What Are Clickjacking Attacks and How Can You Prevent Them?

Reading time: 9 minutes
Listen to this article

The ever increasing usage of web applications via mobile devices, installing and launching of malicious apps, GPS location leaks and financial fraud have made clickjacking attacks a lot more dangerous than understood previously. Lack of device security has also made it possible for clickjacking attacks to be a vector for targeted attacks into our personal lives.

Clickjacking attacks trick website visitors into clicking where they don’t intend to, usually by embedding iFrames and other elements disguised as parts of the original web page. The dangers of this form of deception are frequently overlooked—but, like any other types of attacks, can cause damage in a variety of ways.

In this article, we’ll explore what clickjacking attacks are, get familiar with examples, and share how to prevent them.

What are clickjacking attacks?

Clickjacking attacks can be convincing, persuading end users to click on elements such as ads and other malicious links. These malicious links often perform actions on other websites, which can cause further harm such as leaking personal information to the website, downloading viruses, or installing malware.

The main goal of clickjacking attacks is primarily to confuse or trick the website user (sometimes in the manner of phishing domains) into clicking on the wrong place. This includes buttons which are injected into the website code and ads disguised to look legitimate, or at least similar to the buttons seen on the actual website.

For example, an advertisement on a website may display a checkout or download button which looks very similar to the actual buttons found on the website being accessed. However, clicking on this ad instead of the actual button would redirect a user from the legitimate website to a malicious one.

Clickjacking attack examples

Clickjacking attacks are further classified into different types, depending on the end-action they trick the user into performing. Let’s look at some of those more commonly seen:

Clickjacking attack examples

Like/Share clickjacking

Along with the rise of social networks, the number of like and share clickjacking attacks has increased. These attacks trick the user into clicking on an action which in turn ends up “liking” or “sharing” elements posted on social media, such as photos, links, etc.

For example, the user may intend to download a file from a website, but the download link may be crafted in such a way that it ends up giving a “like” or “share” to another element present on social media platforms.

This type of attack can be quite dangerous. Users often click on links shared by friends, and if the link or image unknowingly shared or liked by the user contains malicious data, clicking on it will spread the attack or cause further damage, as the link can contain malware or other dangerous content.

Cookie jacking attacks have been seen quite often on the internet. These attacks insert cookies into the user’s browser, which are then activated/recognized as soon as the user visits a website to which one of the malicious cookies belongs.

For example, inserted cookies can be used to perform actions on websites you visit. They can automatically log you in and even perform financial transactions.

Cursor jacking

Cursor jacking attacks involve taking control over the user’s cursor and making them click on an element other than the one they wish to click on. This involves changing the path the cursor takes, adjusting the speed of the cursor movement from slow to fast to slow, making it inconvenient for the user to move.

Once the incorrect element has been clicked on, it can end up performing any other type of attack, such as like/share jacking, cookie jacking, file jacking and the like.

Transparent overlays

Transparent overlays are another vector used for clickjacking attacks, wherein a transparent overlay of a legitimate website is imposed on top of a malicious page. The user is easily tricked into clicking into the page as it appears legitimate. Once clicked on, however, the click is transferred to the malicious page sitting underneath the actual page.

Often with scroll-related attacks, the buttons displayed to the user are quickly replaced whenever the user scrolls up or down. The user may even see a certain button when they visit the website for the first time, but the moment they scroll up or down, the button displayed is silently replaced with another. And if the user doesn’t notice this, they can easily get tricked into clicking on the replacement button.

For example, a replacement button may change “cancel order” to “confirm order”, resulting in the completely opposite effect of the user’s intention.

Password manager attacks

With the rise in popularity of password managers, yet another new type of attack has emerged.

Password manager attacks trick the user’s password manager into inputting passwords of other websites, which are then read by code running on the malicious website and stolen.

For example, this type of attack can trick your password manager into inserting your bank account password into a fraudulent website.

The good news is that most popular password managers do not fall for this type of attack. Using a reputable and up-to-date password manager is critical to steer clear of this danger.

How can you prevent clickjacking attacks?

Using ad/content blockers

From a client’s or customer’s point of view, one of the more effective ways to protect yourself when visiting other websites is by using an adblocker or content blocker.

Modern ad blockers and content blockers use frequently updated block lists of malicious content such as javascript libraries and other URLs, which are then referenced and blocked from rendering on your browser. This prevents most clickjacking-related attacks from occurring on your side.

Scanning for vulnerabilities

If you run your own web application, it’s vital to protect your web application from being compromised in the service of clickjacking attacks.

At times, compromised WordPress social media plugins are used for like or share jacking-related attacks which end up redirecting likes and shares meant for blog articles to other malicious content.

This is why scanning your applications with an offline or online vulnerability scanner is always a good practice for protecting your web application.

Frame bursting

In the early days of clickjacking attacks, web developers used javascript-based solutions to prevent them. For example, top.location was used to check if the page being rendered was the top page or the main page being displayed. And if it wasn’t, the page itself was set to top.location

The catch with this solution is that it’s based on javascript, which is rendered on the client side—which can then be intercepted and disabled from executing. Consequently, this wasn’t so effective as a solution for preventing clickjacking attacks.

X-Frame-Options

Once clickjacking attacks became more prominent, it became vital to use better solutions than frame bursting. The most secure and recommended solution is hardening the HTTP headers, and one of the best practices in this area is the usage of X-Frame-Options.

X-Frame-Options is an HTTP header option that is used to specify whether a page can be embedded in a <frame>, <iframe>, <embed> or <object> element. This is an HTTP standard which is supported by almost all modern browsers, making it an excellent option for protecting your webpage from clickjacking attacks.

For example, the most secure solution to use is the deny option, which denies any possibility of including the webpage in an iframe, frame, embed or object:

X-Frame-Options: deny

Next, if the web application developer needs iframes to be embedded while still retaining some security, the sameorigin option can be used. This allows embedding of frames from the same origin only:

X-Frame-Options: sameorigin

Last but not least, an option called allow-from exists which allows inclusion of frames from a certain URL only. This in turn allows embeds to work while retaining some security by only allowing a defined website:

X-Frame-Options: allow-from http://example.com

Using a combination of X-Frame-Options and Frame bursting provides a good solution to prevent clickjacking attacks on old as well as modern browsers.

Content-Security-Policy

Similar to X-Frame-Options, Content-Security-Policy includes a set of several HTTP-based headers that may help you harden your web application. There is an option named frame-ancestors available to us which allows restricting of frames to self (similar to selforigin) which allows only embedding from the same website.

Content-Security-Policy: frame-ancestors 'self';

Next, we have an option to define certain websites which we wish to embed. Only the defined sites will be allowed and anything else will be rejected or denied from embedding.

Content-Security-Policy: frame-ancestors www.example.com www.example2.com;

This can be used effectively to protect your web application from unknown embeds rendering on unknown websites as well as to further reduce the attack surface for clickjacking attacks.

Summary

Clickjacking attacks are rampant and almost everywhere on the internet, from advertisements which look like legitimate options on websites, to embedded pages via iframes, to cursor hijacking.

While securing web applications from clickjacking attacks is possible with the usage of X-Frame-Options and Content-Security-Policy, both of these security policies remain opt-in rather than opt-out. This makes it difficult for the entire internet to stay secure until every single website has these policies setup on their HTTP headers to prevent clickjacking attacks occurring via embeds and iframes.

Similarly, with the increase of web application usage via mobile devices, it becomes all the more important to stay vigilant when browsing around new and unknown web applications, as clickjacking attacks can further escalate to location leaking and other personal data leaks. This is especially true when considering mobile devices, with leaks that can lead to severe consequences—older mobile operating systems do not have proper permission management for accessing device cameras, speakers, GPS locations, and the like.

Beyond the available security headers with X-Frame-Options and Content-Security-Policy, the basic premise of clickjacking attacks is to trick users into performing an action they don’t intend to perform. The usage of javascript and other user-side executed scripts to swap elements, move buttons around, and provide forms to trick users will always be difficult to detect automatically and prevent from causing harm.

Staying vigilant when accessing new and unknown websites remains the best solution for staying safe from clickjacking attacks.

Esteban Borges Blog Author
ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.