Clickjacking
(also UI redress attack)
Clickjacking definition
An attack in which an attacker utilizes multiple layers, either transparent or opaque, to trick a user into clicking a button or link on a lower-level website when they intend to click on the top-level page. The attacker is “hijacking” clicks and redirecting them to another site, belonging to a different app or domain while performing malicious operations. This allows the attacker to take full control of a person’s computer.
The same method can be used to steal keystrokes. A user can be tricked into entering their email or banking account password into an invisible frame managed by an attacker using a carefully prepared combination of iframes, stylesheets, and text boxes. In 2002 it was discovered that a transparent layer could be loaded on top of a website and made responsive to the user’s actions without drawing their attention. However, before 2008, this was not recognized as a serious problem.,
Preventing clickjacking attacks
- Using client-side defenses. It’s a tool for keeping an eye out for and preventing client-side supply chain threats, which can compromise sensitive information, including user credentials and financial data.
- Using an X-Frame-Options header. Websites can protect themselves from click-jacking attempts by preventing third-party embeds from accessing their content.
- Using CSP (Content Security Policy) directives. A security layer that helps detect and mitigate XSS and data injection attacks.
- Using cookie’s sameSite origin. Marking your cross-site cookies will help you secure your website.
