Clickjacking

From OWASP
Revision as of 10:52, 28 December 2008 by Wichers (Talk | contribs)

Jump to: navigation, search

Clickjacking, also known as a UI Redress Attack, is when an attacker uses multiple (often transparent) layers so when a user clicks on an area of the web page, they are inadvertently clicking on a button or link on another page. This attack technique and term were identified and defined by Robert Hansen and Jeremiah Grossman in the Fall of 2008.

For example, imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod". However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the "delete all messages" button directly on top of the "free iPod" button. The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "delete all messages" button. In essence, the attacker has "hijacked" the user's click, hence the name "Clickjacking".

Using the same technique, keystrokes could also be hijacked, so a user believes they are typing in their password to their email or their bank account, but in reality they are typing into an invisible frame, possibly controlled by the attacker.

One of the most notorious examples of Clickjacking was an attack against the Adobe Flash plugin settings page:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager06.html

By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer's microphone and camera.

To prevent this from happening, Adobe added the following code to the web page:

 if (top!=self){
       top.location.href=self.location.href;
 }


This code ensures the page cannot be embedded into an iframe, and therefore cannot be used as part of a clickjacking attack.

References

The original post by Robert Hansen defining this term and introducing the problem is here: http://ha.ckers.org/blog/20081007/clickjacking-details/

Robert Hansen's more detailed post after he was 'allowed' to start talking about it: http://www.sectheory.com/clickjacking.htm

A list of other Clickjacking links: http://www.grc.com/sn/notes-168.htm