ClickJacking Attack | ClickJacking Prevention
Clickjacking Attack & Prevention
It is also referred as REDRESS
- User Interface redress Attack
- UI redress Attack
- UI redressing
ClickJacking is a technique in which users are tricked into clicking malicious links from something different from what the user perceives. The attackers hijack your website and reroute them to an unknown link which are intended to have malicious activities.
While using a such technique, passwords and secret keys can also be hijacked. Attackers can craft a combination of stylesheets, iframes, and text boxes that are similar to websites you are intending to login. Users are believed they are typing password to their E-mail or bank account, but are instead typing into an invisible attacker’s clikjacing Attack.
ClickJacking Attack can be divided into the sub-category
Classic:
Classic Attacks refers to mainly web browser and their target users who are using a web browser to access the website. Works mostly through a web browser.
Likejacking:
LikeJacking is to hijack the main purpose and change to like the Facebook pages or we can say use Facebook’s social media capabilities
Nested:
Nested Attack is similar to classic, a malicious frame is inserted between to frames on a harmless website is said to be a Nested attack. This works due to vulnerability in the HTTP header “X-FRAME-Options”. clickjacking tailored to affect Google+ is one of the examples of a Nested Attack.
Cursorjacking:
CursorJacking is a UI redressing technique to change the cursor from the location the user perceives, manipulates the cursor’s appearance and location
MouseJacking:
MouseJacking is referred to as Hardware vulnerability, as we use external hardware (such as mouse, keyboards) it was reported that input to be injected into vulnerable dongles. Only LogitechLogitech Mouse – Buy Logitech Mouse Online at Best Prices In India | Flipkart.com updated their firmware successfully to stop such attacks and other companies failed to do so.
Browserless:
Browserless ClickJacking mainly occurs in Mobiles, These clickJacking are browserless. Example – As we receive notifications on our mobiles, there is a small delay displaying notifications in that delay time attackers create a button that lies behind the notifications.
Cookiejacking:
Cookies are stolen, then tricked a user into dragging an object which seemingly appears harmless.
Filejacking:
Attackers use the web browser’s capability to navigate and tricking the user into establishing an active file server capable of setting up the affected device as a file server.
Password manager attack:
Password manager attack is related to Autofill password managers. This occurs due to a change in the protocol used while passwords are saved and password managers insecurely fill in the private information (password).
How to Defend our Website against ClickJacking
There are three main mechanism clickjacking prevention attacks
- Using Header X-Frame-Options & ContentSecurity Policy
- Preventing session cookies.
- Using Javascripts
Refernces for more Details
https://en.wikipedia.org/wiki/Clickjacking