Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. this will cause users to unwittingly download malware, visit malicious sites , provide credentials or sensitive information, transfer money, or purchase products online. Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. The user believes they're clicking the visible page but actually they're clicking an invisible element within the additional page transposed on top of it. The invisible page might be a malicious page, or a legitimate page the user didn't shall visit - for instance , a page on the user's banking site that authorizes the transfer of cash . There are several variations of the clickjacking attack, such as: * Likejacking - a way during which the Facebook "Like" button is manipulated, causing users to "like" a page they really didn't shall like. * Cursorjacking - a UI redressing technique that changes the cursor for the position the user perceives to a different position. Cursorjacking relies on vulnerabilities in Flash and therefore the Firefox browser, which have now been fixed.
Clickjacking attack example
1. The attacker creates a beautiful page which promises to offer the user a free trip to Tahiti. 2. within the background the attacker checks if the user is logged into his banking site and if so, loads the screen that permits transfer of funds, using query parameters to insert the attacker's bank details into the shape . 3. The bank transfer page is displayed in an invisible iframe above the free gift page, with the "Confirm Transfer" button exactly aligned over the "Receive Gift" button visible to the user. 4. The user visits the page and clicks the "Book My Free Trip" button. 5. actually the user is clicking on the invisible iframe, and has clicked the "Confirm Transfer" button. Funds are transferred to the attacker. 6. The user is redirected to a page with information about the free gift (not knowing what happened within the background).
This example illustrates that, during a clickjacking attack, the malicious action (on the bank website, during this case) can't be traced back to the attacker because the user performed it while being legitimately signed into their own account.
Clickjacking mitigation
There are two general ways to defend against clickjacking: * Client-side methods - the foremost common is named Frame Busting. Client-side methods are often effective in some cases, but are considered to not be a best practice, because they will be easily bypassed. * Server-side methods - the foremost common is X-Frame-Options. Server-side methods are recommended by security experts as an efficient thanks to defend against clickjacking.