Clickjacking refers to any attack where is user is tricked into clicking any unexpected web element unintentionally. It is a malicious practice in which the attacker tricks a user to click on another webpage who actually clicks on another page. This technique is mostly used for websites or web pages by overlaying malicious content over a trusted webpage or by placing a transparent element or an entire page over a visible one.
The attacker injects an html element/code with an
iframe
into the webpage. Suppose you are checking your email and all of a sudden you get a popup saying "You have won an iPhone. Click here to claim. But below this overlay there can be commands to delete all the emails from your inbox, or send an email to someone. It can be a command to shut down your computer or to access private files or to alter your system files. This is also rampant on Android phones. This is also called a UI Redress attack
.Majority of Clickjack attacks exploit the code vulnerabilities related to the use of HTML iframes and protection methods that revolve around its prevention.
To prevent this attack, all prevention methods aim to block framing as most of these attacks involve HTML
iframe
tag. While legacy solutions use client-side scripts to break pages out of frames, most modern and secure approaches rely on HTTP security headers to specific framing policy:iframe
, embed or object element. The header supports three possible directives: sameorigin
, to allow framing only by pages of the same origin; deny
, not to allow any such frames; or allow-from
to specify any specific targets.The X-Frame-Options HTTP header is still the most universal way of increasing general website resilience, eliminating not just typical clickjacking attempts, but also a host of other vulnerabilities