Difference between revisions of "Clickjacking"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
Clickjacking, also known as a UI Redress Attack, is when an attacker uses multiple (often transparent) layers so when a user clicks on an area of the web page, they are inadvertently clicking on a button or link on another page.
+
Clickjacking, also known as a UI Redress Attack, is when an attacker uses multiple (often transparent) layers so when a user clicks on an area of the web page, they are inadvertently clicking on a button or link on another page. This attack technique and term were identified and defined by Robert Hansen and Jeremiah Grossman in the Fall of 2008.
  
For example, imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod".  However, on top of that web page, the attacker has loaded in a iframe your mail account, and lined up exactly the "delete all messages" button directly on top of the "free iPod" button.  The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "delete all messages" button.  In essence, the attacker has "hijacked" the user's click, hence the name "Clickjacking".
+
For example, imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod".  However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the "delete all messages" button directly on top of the "free iPod" button.  The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "delete all messages" button.  In essence, the attacker has "hijacked" the user's click, hence the name "Clickjacking".
  
 
Using the same technique, keystrokes could also be hijacked, so a user believes they are typing in their password to their email or their bank account, but in reality they are typing into an invisible frame, possibly controlled by the attacker.
 
Using the same technique, keystrokes could also be hijacked, so a user believes they are typing in their password to their email or their bank account, but in reality they are typing into an invisible frame, possibly controlled by the attacker.
Line 19: Line 19:
  
 
This code ensures the page cannot be embedded into an iframe, and therefore cannot be used as part of a clickjacking attack.
 
This code ensures the page cannot be embedded into an iframe, and therefore cannot be used as part of a clickjacking attack.
 +
 +
== References ==
 +
 +
The original post by Robert Hansen defining this term and introducing the problem is here: http://ha.ckers.org/blog/20081007/clickjacking-details/
 +
 +
Robert Hansen's more detailed post after he was 'allowed' to start talking about it: http://www.sectheory.com/clickjacking.htm
 +
 +
A list of other Clickjacking links: http://www.grc.com/sn/notes-168.htm

Revision as of 10:52, 28 December 2008

Clickjacking, also known as a UI Redress Attack, is when an attacker uses multiple (often transparent) layers so when a user clicks on an area of the web page, they are inadvertently clicking on a button or link on another page. This attack technique and term were identified and defined by Robert Hansen and Jeremiah Grossman in the Fall of 2008.

For example, imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod". However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the "delete all messages" button directly on top of the "free iPod" button. The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "delete all messages" button. In essence, the attacker has "hijacked" the user's click, hence the name "Clickjacking".

Using the same technique, keystrokes could also be hijacked, so a user believes they are typing in their password to their email or their bank account, but in reality they are typing into an invisible frame, possibly controlled by the attacker.

One of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings page:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html

By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer's microphone and camera.

To prevent this from happening, Adobe added the following code to the web page:

 if (top!=self){
       top.location.href=self.location.href;
 }


This code ensures the page cannot be embedded into an iframe, and therefore cannot be used as part of a clickjacking attack.

References

The original post by Robert Hansen defining this term and introducing the problem is here: http://ha.ckers.org/blog/20081007/clickjacking-details/

Robert Hansen's more detailed post after he was 'allowed' to start talking about it: http://www.sectheory.com/clickjacking.htm

A list of other Clickjacking links: http://www.grc.com/sn/notes-168.htm