13 Feb, 2023

Clickjacking

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

Clickjacking, also known as UI redress attack, is a type of malicious technique used by attackers to trick users into clicking on a button or link on a web page, which will then perform an unintended action, such as downloading malware, revealing sensitive information, or making a purchase. The attack works by placing an invisible layer over a legitimate button or link and tricking the user into clicking on a different button or link that appears to be harmless.

Here’s how it works:

• The attacker creates a malicious web page that contains an iframe, which is an HTML element that allows a web page to be embedded within another web page.
• The attacker then loads a legitimate web page inside the iframe, such as a bank login page, a social media profile, or an e-commerce site.
• The attacker places an invisible layer over the legitimate page, which will intercept the user’s clicks and redirect them to a different button or link. This layer is often made transparent or positioned off-screen, making it invisible to the user.
• When the user clicks on a button or link, they believe they are interacting with the legitimate page, but in reality, they are performing an action controlled by the attacker.

Example of vulnerable code on different programming languages:

HTML and JavaScript:

				
					<button id="secretButton">Click Me</button>
<script>
  document.getElementById("secretButton").addEventListener("click", function() {
    alert("You just clicked the secret button!");
  });
</script>

				
			

In this example, the attacker can create a malicious web page that contains an iframe with the above code. The attacker can then place an invisible layer over the “Click Me” button and trick the user into clicking on a different button or link that appears to be harmless. When the user clicks on the button, they will see a message that says “You just clicked the secret button!”, but in reality, the attacker is controlling the action.

PHP:

				
					<button id="secretButton">Click Me</button>
<script>
  <?php
    if(isset($_POST["secretButton"])) {
      echo "You just clicked the secret button!";
    }
  ?>
</script>

				
			

In this example, the attacker can create a malicious web page that contains an iframe with the above code. The attacker can then place an invisible layer over the “Click Me” button and trick the user into clicking on a different button or link that appears to be harmless. When the user clicks on the button, the PHP code will check if the “secretButton” POST parameter is set, and if so, will display a message that says “You just clicked the secret button!”. The attacker can use this to perform an unintended action, such as sending a POST request to a malicious URL.

Ruby on Rails:

				
					<button id="secretButton">Click Me</button>
<script>
  <% if params[:secretButton] %>
    <%= "You just clicked the secret button!" %>
  <% end %>
</script>

				
			

In this example, the attacker can create a malicious web page that contains an iframe with the above code. The attacker can then place an invisible layer over the “Click Me” button and trick the user into clicking on a different button or link that appears to be harmless. When the user clicks on the button, the Ruby on Rails code will check if the “secretButton” parameter is present in the request parameters, and if so, will display a message that says “You just clicked the secret button!”. The attacker can use this to perform an unintended action, such as sending a GET request to a malicious URL.

ASP.NET:

				
					<button id="secretButton">Click Me</button>
<script>
  <% if Request.Form["secretButton"] != null %>
    <%= "You just clicked the secret button!" %>
  <% end %>
</script>

				
			

In this example, the attacker can create a malicious web page that contains an iframe with the above code. The attacker can then place an invisible layer over the “Click Me” button and trick the user into clicking on a different button or link that appears to be harmless. When the user clicks on the button, the ASP.NET code will check if the “secretButton” form field is present in the request, and if so, will display a message that says “You just clicked the secret button!”. The attacker can use this to perform an unintended action, such as sending a POST request to a malicious URL.

Examples of Clickjacking

Here are some examples of clickjacking attacks:

  • Likejacking: An attacker creates a malicious website that looks like a legitimate website and asks the user to “Like” a page on Facebook. When the user clicks the “Like” button, they are actually liking the attacker’s page instead.

  • Playjacking: An attacker creates a malicious website that looks like a video player and asks the user to click the “Play” button. When the user clicks the button, they are actually clicking a hidden button that performs an unintended action, such as downloading malware or sending spam messages.

  • Tweetjacking: An attacker creates a malicious website that looks like a tweet and asks the user to “Retweet” the message. When the user clicks the “Retweet” button, they are actually retweeting a malicious message that spreads spam or phishing links.

  • Downloadjacking: An attacker creates a malicious website that looks like a download page and asks the user to click the “Download” button. When the user clicks the button, they are actually downloading malware or a malicious file instead of the intended file.

  • Adjacking: An attacker creates a malicious website that looks like an advertisement and asks the user to click the “Click here” button. When the user clicks the button, they are actually clicking a hidden button that redirects them to a phishing website or downloads malware.

These are just a few examples of how clickjacking can be used in attacks. The key takeaway is that attackers often try to trick users into clicking on buttons or links that appear to be harmless but actually perform an unintended action. It’s important to be cautious when clicking on links or buttons on unfamiliar or suspicious websites.

Privilege escalation techniques for Clickjacking

Clickjacking is a type of security vulnerability in which an attacker tricks a user into clicking on a hidden element or iframe on a webpage. Privilege escalation in the context of clickjacking refers to the attacker exploiting a user’s trust in a website to gain access to sensitive information or execute actions with higher privileges. Here are some common techniques used for privilege escalation in clickjacking attacks:

  1. Social engineering: The attacker tricks the user into providing sensitive information or performing actions that grant the attacker higher privileges. This can be done through convincing the user to enter their credentials on a fake login page or to grant access to their camera or microphone.

  2. Cross-Site Request Forgery (CSRF): The attacker crafts a hidden iframe on a webpage that makes a request to a vulnerable application on behalf of the user. This request can execute actions with the user’s privileges, such as changing passwords or transferring funds.

  3. Cross-Site Scripting (XSS): The attacker injects malicious code into a vulnerable application, allowing the attacker to execute arbitrary code in the context of the user’s session. This can lead to privilege escalation if the user has higher privileges in the application.

  4. Clickjacking with malvertising: The attacker uses malicious advertisements to trick users into clicking on hidden elements. This can lead to the installation of malware or redirecting the user to a phishing page.

General methodology and checklist for Clickjacking

The general methodology for preventing clickjacking attacks involves a combination of technical and non-technical controls. Here is a checklist for protecting against clickjacking:

  1. Implement the X-Frame-Options header: The X-Frame-Options header is used to prevent a webpage from being loaded in an iframe. The header can be set to ‘DENY’, ‘SAMEORIGIN’, or ‘ALLOW-FROM’.

  2. Use CSP (Content Security Policy): CSP is a security feature that helps prevent cross-site scripting and other code injection attacks. It can also be used to prevent a webpage from being loaded in an iframe.

  3. Implement frame-busting code: Frame-busting code is a JavaScript function that can be used to detect if a page is being loaded in an iframe and prevent it from being displayed.

  4. Avoid using vulnerable plugins: Some plugins, such as Flash, can be vulnerable to clickjacking attacks. It’s best to avoid using them if possible, or make sure they’re up to date and secure.

  5. Educate users: Regularly educate users on how to identify and avoid clickjacking attacks. Emphasize the importance of only clicking on trusted links and not providing sensitive information to suspicious or unknown websites.

  6. Regularly test and monitor: Regularly test and monitor web applications for vulnerabilities, including clickjacking. Use tools such as web vulnerability scanners to identify potential issues.

  7. Keep software up to date: Make sure to keep all software and web browsers up to date, as security patches are often released to fix known vulnerabilities.

By following this checklist, organizations can reduce the risk of clickjacking attacks and protect their users from these types of security threats.

Tools set for exploiting Clickjacking

Manual Tools:

  1. Burp Suite: A popular web application security testing tool that can be used to test for clickjacking vulnerabilities.

  2. OWASP ZAP: The OWASP Zed Attack Proxy (ZAP) is an open-source security tool that can be used to test for clickjacking vulnerabilities.

  3. Google Chrome DevTools: The DevTools in Google Chrome can be used to test for clickjacking vulnerabilities by manually constructing and testing different iframes.

  4. Mozilla Firefox Developer Tools: The Developer Tools in Mozilla Firefox can be used in a similar manner to Google Chrome DevTools for testing for clickjacking vulnerabilities.

  5. Tamper Data: A browser extension for Mozilla Firefox that can be used to tamper with HTTP requests and responses, which can be useful for testing for clickjacking vulnerabilities.

  6. HTTP Debugger Pro: A commercial tool for Windows that can be used to test for clickjacking vulnerabilities by capturing and analyzing HTTP traffic.

  7. Fiddler: A free web debugging proxy tool that can be used to test for clickjacking vulnerabilities by capturing and analyzing HTTP traffic.

  8. Postman: A tool for testing APIs that can be used to test for clickjacking vulnerabilities in RESTful APIs.

  9. Charles: A commercial web debugging proxy tool that can be used to test for clickjacking vulnerabilities by capturing and analyzing HTTP traffic.

  10. Wireshark: A free and open-source network protocol analyzer that can be used to test for clickjacking vulnerabilities by capturing and analyzing network traffic.

Automatic Tools:

  1. Acunetix: A commercial web vulnerability scanner that can be used to automatically test for clickjacking vulnerabilities.

  2. Nessus: A commercial vulnerability scanner that can be used to automatically test for clickjacking vulnerabilities.

  3. Qualys: A cloud-based vulnerability scanner that can be used to automatically test for clickjacking vulnerabilities.

  4. OpenVAS: An open-source vulnerability scanner that can be used to automatically test for clickjacking vulnerabilities.

  5. AppScan: A commercial application security testing tool that can be used to automatically test for clickjacking vulnerabilities.

  6. WebInspect: A commercial web application security testing tool that can be used to automatically test for clickjacking vulnerabilities.

  7. Arachni: An open-source web application security scanner that can be used to automatically test for clickjacking vulnerabilities.

  8. Microsoft Threat Detection: A cloud-based security service that can be used to automatically test for clickjacking vulnerabilities.

  9. SANS penetration testing methodology: A methodology for performing penetration testing that includes guidelines for testing for clickjacking vulnerabilities.

  10. OWASP Top 10: The OWASP Top 10 is a list of the ten most critical web application security risks, and it includes guidelines for testing for clickjacking vulnerabilities.

Note: These tools can be used to find vulnerabilities in web applications, but exploiting those vulnerabilities may be illegal and unethical. It is important to only use these tools in accordance with relevant laws and with proper authorization from the target website’s owner.

Average CVSS score of Clickjacking

The CVSS (Common Vulnerability Scoring System) score for clickjacking attacks varies depending on the specific nature of the vulnerability and the impact it has on the targeted system. However, on average, clickjacking vulnerabilities have been assigned a CVSS score between 3.5 and 6.5, which is considered medium to high severity.

It’s important to note that CVSS scores are subject to change and can be adjusted as new information becomes available about a particular vulnerability. Additionally, different organizations and security professionals may have different interpretations of CVSS scores, and the scores assigned to a specific vulnerability can vary depending on the organization’s security policies and procedures.

Overall, clickjacking is considered a serious security threat, and organizations should take steps to protect their systems and users from these types of attacks. This may include implementing technical controls, such as the X-Frame-Options header, and educating users on safe online behavior.

The Common Weakness Enumeration (CWE)

The Common Weakness Enumeration (CWE) is a system that provides a standardized way of describing software security weaknesses. Here is a list of the top 10 CWEs related to clickjacking:

CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)CWE-79: Cross-Site Scripting (XSS)
CWE-451: Improper Blacklisting
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-918: Server-Side Request Forgery (SSRF)
CWE-290: Authentication Bypass by Spoofing
CWE-22: Improper Limitation of a Pathname to a Restricted Directory
CWE-284: Improper Access Control
CWE-921: Improper Privilege Management
CWE-319: Cleartext Transmission of Sensitive Information

Clickjacking vulnerabilities exploits

There are several ways that clickjacking vulnerabilities can be exploited, including:

  • Hidden Iframes: An attacker can load a malicious website into an iframe that is positioned over a legitimate button or link, tricking the user into clicking on the malicious content.

  • Transparent Iframes: Similar to hidden iframes, an attacker can use a transparent iframe to trick the user into clicking on an unseen button or link.

  • Use of CSS: An attacker can use CSS to manipulate the display of a website, making buttons and links appear to be in different locations than they actually are.

  • Misleading Descriptions: An attacker can craft misleading descriptions for links, such as “Click Here for a Free Gift” that when clicked will redirect the user to a malicious website.

  • Clickjack Popping: An attacker can create a pop-up window that appears to be a part of a trusted website, tricking the user into entering sensitive information or clicking on a malicious link.

  • Mouse Tracking: An attacker can use mouse tracking techniques to record a user’s movements and clicks, allowing them to determine which buttons or links the user is clicking on.

Practicing in test for Clickjacking

  1. Set up a testing environment: Create a virtual machine or a testing environment where you can safely practice and experiment with clickjacking techniques.

  2. Familiarize yourself with the target application: Before testing for clickjacking vulnerabilities, it’s important to understand the target application’s functionality and behavior.

  3. Use a web proxy: Use a web proxy such as Burp Suite to intercept and modify traffic between the target application and the browser. This will allow you to manipulate requests and responses, making it easier to identify clickjacking vulnerabilities.

  4. Test for iframe-based attacks: Attempt to load the target application into an iframe and see if you can manipulate its behavior. Try using transparent and hidden iframes, and see if you can trick the user into clicking on a hidden link or button.

  5. Test for CSS-based attacks: Use CSS to manipulate the display of the target application, and see if you can trick the user into clicking on an unseen link or button.

  6. Test for pop-up window-based attacks: Try creating a pop-up window that appears to be a part of the target application, and see if you can trick the user into entering sensitive information or clicking on a malicious link.

  7. Document your findings: Make sure to document any clickjacking vulnerabilities you find during your testing, including the steps you took to reproduce the issue and any relevant screenshots or code snippets.

For study Clickjacking

  • Websites and blogs: Look for websites and blogs that specialize in web security and application security, as they often cover clickjacking and other types of security vulnerabilities in-depth.

  • Books: There are several books on web security and application security that cover clickjacking and related topics. Some popular books include “The Web Application Hacker’s Handbook” by Dafydd Stuttard and Marcus Pinto, and “Black Hat Python” by Justin Seitz.

  • Online courses: Consider taking an online course on web security or application security to learn about clickjacking and other types of security vulnerabilities. Some popular online learning platforms that offer security courses include Udemy, Coursera, and Pluralsight.

  • Conferences and events: Attend security conferences and events, such as Black Hat and DEF CON, to hear from experts in the field and learn about the latest research and techniques related to clickjacking and other security topics.

  • Practice: The best way to learn about clickjacking and other security vulnerabilities is by practicing and testing your skills in a controlled environment. You can set up a virtual machine or a testing environment and experiment with different techniques to better understand how clickjacking works and how to identify and prevent

Books with review of Clickjacking

  1. “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto: This book provides a comprehensive guide to web application security, including a thorough explanation of clickjacking and how to identify and exploit it.

  2. “Black Hat Python: Python Programming for Hackers and Pentesters” by Justin Seitz: This book covers various topics in hacking and pentesting, including a section on clickjacking and how to use Python to automate the exploitation process.

  3. “Web Hacking: Attack and Defense” by Yuchong Hu, Haifei Li, and Wei Wang: This book provides a comprehensive guide to web application security, including a section on clickjacking and how to identify and prevent it.

  4. “Web Security: A White Hat Perspective” by Himanshu Dwivedi: This book covers various topics in web security, including a section on clickjacking and how to prevent it.

  5. “Hacking: The Art of Exploitation” by Jon Erickson: This book provides an introduction to computer security and hacking, including a section on clickjacking and how to identify and exploit it.

List of payloads Clickjacking

Clickjacking payloads are specific actions or commands that are executed by a user’s browser when they are tricked into clicking on a malicious link or button. Some common clickjacking payloads include:

  1. Launching a malicious website: A user’s browser can be redirected to a malicious website that contains malware or phishing content.

  2. Executing arbitrary code: A user’s browser can be made to execute arbitrary code, such as JavaScript, which can then be used to steal sensitive information or perform other malicious actions.

  3. Sending messages: A user’s browser can be made to send messages to a specific website or web application, such as posting a comment or sending an email.

  4. Liking or sharing content: A user’s browser can be made to like or share content on social media websites, which can then be used to spread malware or phishing content.

  5. Transferring funds: A user’s browser can be made to transfer funds or make purchases on e-commerce websites.

  6. Sharing sensitive information: A user’s browser can be made to share sensitive information, such as passwords or personal details, with a malicious website or web application.

  7. Downloading malware: A user’s browser can be made to download malware, such as a Trojan or virus, which can then be used to compromise the user’s computer or network.

How to be protected from Clickjacking

Here is an example of a Sigma rule that detects clickjacking attempts based on a few key points:

  • Detection of “X-Frame-Options” header: The “X-Frame-Options” header is used to specify whether a web page can be embedded in a frame or iframe. A missing or inadequate “X-Frame-Options” header can leave a website vulnerable to clickjacking.

  • Search for “frame-ancestors” directive: The “frame-ancestors” directive is used to specify which websites are allowed to embed the current web page in a frame or iframe. The absence of this directive or the presence of an “*” value makes a website vulnerable to clickjacking.

  • Examination of “Content-Security-Policy” header: The “Content-Security-Policy” header is used to specify security policies for a website, including restrictions on the use of frames and iframes. The absence of a “Content-Security-Policy” header or the presence of an inadequate policy can leave a website vulnerable to clickjacking.

Example Sigma rule that implements these points:

				
					title: Detect clickjacking attempts
status: experimental
description: This rule detects clickjacking attempts by looking 
for missing or inadequate X-Frame-Options, frame-ancestors,
and Content-Security-Policy headers.
author: John Doe
logsource:
  product: http
  service: access_combined
detection:
  selection:
    response:
      headers:
        - name: X-Frame-Options
  condition: selection
  condition: not selection.value matches "(SAMEORIGIN|DENY)"
  condition: not selection.value matches "(frame-ancestors) [^*]+"
  condition: not selection.value matches "(Content-Security-Policy) [^*]+
  (frame-ancestors) [^*]+"

				
			

As for firewall rules, you can use them to block incoming traffic that originates from known malicious IP addresses, or to block traffic that is destined to known malicious websites. Additionally, you can use firewall rules to block traffic that contains certain keywords or patterns that are associated with clickjacking. However, it’s important to keep in mind that firewall rules alone are not enough to protect against clickjacking and should be used in conjunction with other security measures, such as browser plugins or security software.

Mitigations for Clickjacking

Here are some common methods to prevent or mitigate clickjacking:

  1. X-Frame-Options header: The X-Frame-Options header is used to specify whether or not a browser should be allowed to render a page in a frame, iframe, or object. The header can be set to “DENY” to prevent a page from being displayed in a frame, or “SAMEORIGIN” to allow framing by pages of the same origin.

  2. Content Security Policy (CSP) header: The CSP header allows a web server to specify the valid sources of content for a web page, including the use of frames. The header can be set to “frame-ancestors ‘none'” to prevent a page from being framed.

  3. JavaScript frame buster: A frame buster is a piece of JavaScript code that checks whether a page is being framed and, if so, breaks out of the frame. This can be used to prevent a page from being displayed in a malicious frame.

  4. Use of Anti-Virus software: Anti-virus software with web protection features can help detect and prevent clickjacking attacks by blocking access to known malicious websites.

  5. Regular software updates: Keeping software and operating systems up to date with the latest patches and security updates can help prevent vulnerabilities from being exploited.

Conclusion

In short, clickjacking is a type of attack where an attacker tricks a user into clicking on a hidden or obscured button or link on a website. This can result in unintended actions, such as installing malware or disclosing sensitive information. To protect against clickjacking, website owners should implement security measures, such as the X-Frame-Options header, and users should be cautious when clicking on unfamiliar or unexpected links. It is important to stay vigilant and take steps to prevent this type of attack.

Other Services

Ready to secure?

Let's get in touch