What is Click Jaking
Clickjacking is a web attack where an attacker tricks a user into clicking on something hidden within an invisible frame on a malicious page. The user believes they’re clicking on one thing, but they’re actually interacting with another site. This can make the user unknowingly perform actions like liking posts, transferring funds, or changing settings on a legitimate site.
For a clickjacking attack to be effective, two primary conditions need to be met:
-
X-Frame-Options: The target website should not use the
X-Frame-OptionsHTTP header or theContent-Security-Policy(CSP) header with theframe-ancestorsdirective. If these are absent or improperly configured, an attacker can embed the site in an invisible iframe on their own page. These headers are usually set to prevent a site from being embedded in an iframe by other domains, which helps mitigate clickjacking. -
SameSite Cookies: The target site should use cookies with a
SameSite=None; Secureattribute, allowing them to be sent in cross-origin requests. This configuration lets a user's session cookie be sent even when interacting with the site through an iframe on another domain. This condition is essential for making sure the user remains logged in to the target website when interacting with a malicious page.
Payload example
<style>
iframe {
position: relative;
width: 1000px;
height: 700px;
opacity: 0.0001;
z-index: 2;
}
div {
position: absolute;
top: XYZpx;
left: XYZpx;
z-index: 1;
}
</style>
<div><button>click</button></div>
<iframe src="https://google.com"></iframe>X-Frame-Options
X-Frame-Options was originally introduced as an unofficial response header in Internet Explorer 8 and it was rapidly adopted within other browsers. The header provides the website owner with control over the use of iframes or objects so that inclusion of a web page within a frame can be prohibited with the deny directive:
X-Frame-Options: deny
Alternatively, framing can be restricted to the same origin as the website using the sameorigin directive
X-Frame-Options: sameorigin
or to a named website using the allow-from directive:
X-Frame-Options: allow-from https://normal-website.com
X-Frame-Options is not implemented consistently across browsers (the allow-from directive is not supported in Chrome version 76 or Safari 12 for example). However, when properly applied in conjunction with Content Security Policy as part of a multi-layer defense strategy it can provide effective protection against clickjacking attacks.
Content Security Policy (CSP)
Content Security Policy (CSP) is a detection and prevention mechanism that provides mitigation against attacks such as XSS and clickjacking. CSP is usually implemented in the web server as a return header of the form:
Content-Security-Policy: policy
where policy is a string of policy directives separated by semicolons. The CSP provides the client browser with information about permitted sources of web resources that the browser can apply to the detection and interception of malicious behaviors.
The recommended clickjacking protection is to incorporate the frame-ancestors directive in the application's Content Security Policy. The frame-ancestors 'none' directive is similar in behavior to the X-Frame-Options deny directive. The frame-ancestors 'self' directive is broadly equivalent to the X-Frame-Options sameorigin directive. The following CSP whitelists frames to the same domain only:
Content-Security-Policy: frame-ancestors 'self';
Alternatively, framing can be restricted to named sites:
Content-Security-Policy: frame-ancestors normal-website.com;
To be effective against clickjacking and XSS, CSPs need careful development, implementation and testing and should be used as part of a multi-layer defense strategy.
Frame Busting
Frame busting is a technique used to prevent clickjacking attacks, where a malicious website embeds another site within an iframe (an HTML element that displays a web page within another page). This allows the attacker to overlay or manipulate the content, tricking the user into clicking on something they can’t see, such as buttons that perform sensitive actions on the target site.
![[brave_iqQL2Uc7NF.png]]
As frame busters are JavaScript then the browser's security settings may prevent their operation or indeed the browser might not even support JavaScript. An effective attacker workaround against frame busters is to use the HTML5 iframe sandbox attribute. When this is set with the allow-forms or allow-scripts values and the allow-top-navigation value is omitted then the frame buster script can be neutralized as the iframe cannot check whether or not it is the top window:
<iframe id="victim_website" src="https://victim-website.com" sandbox="allow-forms"></iframe>Both the allow-forms and allow-scripts values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviors while allowing functionality within the targeted site.
Cookie (None)
The target site should use cookies with a SameSite=None; Secure attribute, allowing them to be sent in cross-origin requests. This configuration lets a user's session cookie be sent even when interacting with the site through an iframe on another domain. This condition is essential for making sure the user remains logged in to the target website when interacting with a malicious page.