Tuesday, January 12, 2016

What is a Clickjacking or UI Redress Attack ?



A Clickjacking or UI Redress Attack is an attack in which the attacker uses opaque or transparent layers in webpages to trick a user in clicking on a malicious link or button unknowingly. And thus, the attackers hijack a click of a user and route it to a different malicious page.







How is Clickjacking done ?

Study suggests, there are a number of ways a Clickjacking is done. To name a few :

  • Sometimes a user in a social networking site is tricked to post an update in his homepage which they did not intend to like. I think most of us have seen this type of Clickjacking in popular social networking sites. This is also called Likejacking.
  • Sometimes attackers hijack cursor of a user to a location different from where the user perceives it to be. This is also called Cursorjacking.
  • Sometimes Password Managers fail to protect against iFrame and redirection based attacks and expose unwanted passwords.
  • Sometimes unwanted advertisements get displayed on top of email inbox, saying free ipod for example, and the attacker loads an iframe with the email account. As a result, when the user clicks on that link, it does malicious activities, for example deleting all messages etc.
  • Sometimes the attackers load a webpage into an invisible iframe and trick the user into changing security settings of software, for example Flash Player, so that microphone, camera etc can be exploited.
  • Many a times a user prefers to keep logged in eCommerce websites. An attacker may trick the user to click on a like button, but load the eCommerce website in transparent iframe. As a result, when the user clicks on the like button, some expensive items may get bought from the eCommerce website using the user's credit card.



Countermeasures 


We can take a couple of steps to prevent this attack.

  • Some addons of browsers like NoScript can prevent users from clicking on invisible page elements.
  • Some commercial products like GuardedID can make all frames in the page visible and protect against these attacks.
  • In some secure web browsers like Gazelle a window of different origin can onnly draw dynamic contents over another window's screen space if the content it draws is opaque. And thus, it can protect users from clicking on something unknowingly.
  • Web site owners can include framekiller Javascript snippet in webpages to prevent inside frames from different sources.
  • HTTP headers like X-Frame-Options are now adopted by many web browsers and they can prevent Clickjacking partially.
  • The frame-ancestors directive of Content Security Policy can prevent potentially hostile pages using iframe, object etc. and prevent Clickjacking.



So, beware of various security vulnerabilities and stay safe, stay secured.

No comments:

Post a Comment