Clickjacking is also known as the User Interface (UI) Redressing or UI Redress Attack. In this type of attack, the attacker tricks the victim into clicking and activating a malicious code or script that is ‘redressed’ or disguised as something safe, and most of the times, as something catchy and attractive. This is a client-side vulnerability and is addressed by the behavior of the web browsers.
How does Clickjacking work?
Successful clickjacking attack requires an effective use of the <iframe> HTML tag. By using this tag, the attcker can hide his malicious code, script or website behind an actual webpage, web application, a button etc. The attacekr creates a seemingly harmless web page that loads the target website by the help of the <iframe> tag.
Let us understand Clickjacking by means of an example.
Let’s assume Bob (user) is fond of playing games on the internet. At the same time, Bob aslo his social media accounts for different purposes. Eve (attacker) gets this information and decides to hack Bob’s social media account by using clickjacking. Eve prepares a malicious website that will change the users’ passwords. Eve disguises his malicious webpage as a math game and sends it to Bob via his social media account. Bob is logged in to his account. Bob, being fond of playing games, clicks on the game and when he opens that webpage, and plays the game, Bob has no idea he is changing his account’s password, unintentionally, which is what Eve wants.
Prevention against Clickjacking:
There are two main ways to prevent Clickjacking:
Employing Defensive Code: Employing defensive codes in the UI to make sure that the current frame is the top most window, and there are no further frames or windows behind it.