Clickjacking Attacks

Clickjacking, also known as UI redressing, is a deceptive technique where users are tricked into clicking on hidden buttons or links without their knowledge. Attackers overlay transparent frames to mislead users into interacting with elements different from what they see, enabling them to perform malicious actions such as liking a Facebook page unintentionally. This type of attack exploits vulnerabilities in webpage display and can be prevented using frame-busting techniques like adjusting the stacking order and controlling transparency.

• Clickjacking
• Security Vulnerability
• UI Redressing
• Webpage Exploitation
• Frame-Busting

xu_ick Follow

Uploaded on Apr 19, 2025 | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Clickjacking CSE 591 Security and Vulnerability Analysis Spring 2015 Adam Doup Arizona State University http://adamdoupe.com

2. Would you click this button? Adam Doup , Security and Vulnerability Analysis

3. ClickJacking In a clickjacking attack a user is lured into clicking a button that is not associated with the page displayed by the browser Example: clicking on harmless "Download free screensaver" button a on page on site A will actually become a click on "Like Button" on Facebook The attack, also called "UI redressing," is performed by using overlapping transparent frames Stacking order: z-index: <value> Transparency in Firefox: opacity: <value> Transparency in IE filter:alpha(opacity=<value>) 3 Adam Doup , Security and Vulnerability Analysis

4. ClickJacking Example <html> <head> <title>Clickjacking Times</title> </head> <body> <h1>Clickjacking Example</h1> <div style="z-index:2; position:absolute; top:0; left:0; width: 100%; height: 100%"> <iframe src="http://www.facebook.com/home.php?" id="frame1" style="opacity:0; filter:alpha(opacity=0);" width="100%" height="100%" /> </iframe> </div> <div align="right" style="position:absolute; top:0; left:0; z-index:1; width: 100%; height:100%; background-color: white; text-align:left;"> <p><input type="submit" value="Press Here" /><br />Press this button for an iPhone</p> </div> </body> </html> 4 Adam Doup , Security and Vulnerability Analysis

5. ClickJacking Example Z-level: 1 Opaque Press Here! Z-level: 2 Transparent 5 Adam Doup , Security and Vulnerability Analysis

6. Frame Busting Code <style> body { display:none;} </style> <script> if (self == top) { document.getElementsByTagName("body")[0].style.display = 'block'; } else { top.location = self.location; } </script> From: Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites, July 2010 6 Adam Doup , Security and Vulnerability Analysis

7. HTTP Headers X-Frame-Options HTTP response header DENY This page cannot be framed SAMEORIGIN Only pages from the same origin may frame this page ALLOW-FROM <URI> Only allow this specific URI to fame this page https://www.owasp.org/index.php/Clickjacking _Defense_Cheat_Sheet Adam Doup , Security and Vulnerability Analysis

8. Summary Need to be wary of how attacker can trick a user to accidentally take action on your web application Clickjacking is related to CSRF: both attacks allow an attacker to perform actions on your behalf Adam Doup , Security and Vulnerability Analysis