Difference between revisions of "Clickjacking"

From OWASP
Jump to: navigation, search
(New page: Clickjacking is when malicious code that causes web dialogs to become transparent and palced on page so that a victim would click on the transparent dialog without knowing it. This vulne...)
 
Line 1: Line 1:
Clickjacking is when malicious code that causes web dialogs to become transparent and palced on page so that a victim would click on the transparent dialog without knowing it.  
+
Clickjacking, also known as a UI Redress Attack, is when an attacker uses multiple (often transparent) layers so when a user clicks on an area of the web page, they are inadvertently clicking on a button or link on another page.
  
This vulnerability can be fixed via the best practice of adding frame-breaking code to the top of non-framed web pages.
+
For example, imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod".  However, on top of that web page, the attacker has loaded in a iframe your mail account, and lined up exactly the "delete all messages" button directly on top of the "free iPod" button.  The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "delete all messages" button.  In essence, the attacker has "hijacked" the user's click, hence the name "Clickjacking".
 +
 
 +
Using the same technique, keystrokes could also be hijacked, so a user believes they are typing in their password to their email or their bank account, but in reality they are typing into an invisible frame, possibly controlled by the attacker.
 +
 
 +
One of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings page:
 +
 
 +
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html
 +
 
 +
By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer's microphone and camera.
 +
 
 +
To prevent this from happening, Adobe added the following code to the web page:
 +
 
 +
  if (top!=self){
 +
        top.location.href=self.location.href;
 +
  }
 +
 
 +
 
 +
This code ensures the page cannot be embedded into an iframe, and therefore cannot be used as part of a clickjacking attack.

Revision as of 18:02, 27 December 2008

Clickjacking, also known as a UI Redress Attack, is when an attacker uses multiple (often transparent) layers so when a user clicks on an area of the web page, they are inadvertently clicking on a button or link on another page.

For example, imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod". However, on top of that web page, the attacker has loaded in a iframe your mail account, and lined up exactly the "delete all messages" button directly on top of the "free iPod" button. The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "delete all messages" button. In essence, the attacker has "hijacked" the user's click, hence the name "Clickjacking".

Using the same technique, keystrokes could also be hijacked, so a user believes they are typing in their password to their email or their bank account, but in reality they are typing into an invisible frame, possibly controlled by the attacker.

One of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings page:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html

By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer's microphone and camera.

To prevent this from happening, Adobe added the following code to the web page:

 if (top!=self){
       top.location.href=self.location.href;
 }


This code ensures the page cannot be embedded into an iframe, and therefore cannot be used as part of a clickjacking attack.