Clickjacking

Clickjacking, also known as a 'UI redress attack,' is a web-based attack where an attacker tricks a user into clicking on a hidden or disguised element within a web page, leading to unintended actions. By layering a transparent or opaque frame over legitimate content, attackers can manipulate clicks, potentially stealing data, executing malicious actions, or compromising user accounts.

Clickjacking works by embedding a legitimate web page or interface element within an iframe or similar HTML element, which is then overlaid with malicious content or hidden elements. Users may believe they are interacting with the visible content, but in reality, their clicks are being redirected to perform hidden actions. This technique can be used to trick users into liking a social media post, submitting confidential information, or executing actions on sensitive sites like banking portals.

The purpose of Clickjacking attacks is to Exploit the trust users place in web interfaces and to manipulate their actions without their knowledge or consent. By hijacking clicks, attackers can gain unauthorised access to accounts, steal sensitive information, or spread Malware. Clickjacking can have serious consequences for both users and organisations, making it essential to implement countermeasures.

Clickjacking attacks are typically carried out using HTML and CSS techniques to layer content on a webpage. To prevent Clickjacking, web developers can use techniques such as implementing the X-Frame-Options HTTP header, which restricts the framing of web pages by unauthorised domains, and using Content Security Policy (CSP) frame-ancestors directives to control which sites can embed their content. User education and browser security extensions can also help mitigate Clickjacking attempts.

Examples of Clickjacking include attackers embedding a legitimate social media 'Like' button within a hidden frame on their malicious site, tricking users into liking content without realising it. Another example is embedding a banking site’s interface and overlaying it with a transparent input form, causing users to unknowingly authorise money transfers.

Defending against Clickjacking can be challenging because attackers can use a variety of methods to manipulate page content and user interactions. Effective countermeasures require a combination of server-side controls, browser security settings, and user awareness. Ensuring that sensitive web applications are not framed by unauthorised sources and regularly testing for Clickjacking vulnerabilities are key components of a strong defence.