Talking about Clickjacking Attack

Clickjacking, also known as a “UI redress attack”, is also a threat of attack or cannot be ignored, although it requires more interaction with the user, thus increasing the cost of their attacks, in reality, can be applied to fishing, fraud and other attacks.

What is Clickjacking?

It is similar to the DNS poisoning as a malicious jump, trick a user into clicking on a button or link on another page when they were intending to click on the top level page. The basic implementation is to use iframe tags in HTML, by making it transparent, invisible, on the original page covered by a layer of transparent new web pages, by adjusting the size and location of iframe so that it can cover the original page anywhere on. Specifically, you can set the iframe tag width, height attributes, and top, left the position, while the z-index value is set to maximum, in order to achieve iframe at the top of the page, and then set the opacity to control iframe page transparency, a value of 0 is completely invisible.

Clickjacking form

  • From the basic iframe, ClickJacking developed many different forms. For example, with the implementation of the click hijacking Flash, such as the implementation of fraud by image coverage attack, the most amazing drag, and drop should be hijacking and data theft. Paul Stone in 2010 BlackHat published a speech entitled “Next Generation ClickJacking“, the idea of drag and drop hijacking is to lure users from the hidden invisible iframe “drag” the attackers want to get the data, and then Into an attacker can control the other page, thus stealing data.
    Here is a typical example, is the domestic cattle xisigr structure for a Gmail POC, the general process is to design a seal the top of the game, every time the user clicks the ball dragged to the seal head will trigger the corresponding behavior, Here in the ball and seal the top of the head are hidden iframe, xisigr use event.dataTransfer.getData ( ‘Text’) to get the drag data, the user drags the ball when the actually selected iframe in the hidden data; Put down the ball, the data also on the hidden iframe, thus completing a data theft process.
  • “Clickjacking for Shells” by Andrew Horton is an excellent demonstration of a ClickJacking attack. In his demonstration, he leveraged the ClickJacking vulnerability to install vulnerable WordPress plugin. From it, he utilized Cross-Site Scripting vulnerability in that plugin to upload a PHP shell script.

Clickjacking tool

CJExploiter is drag and drops ClickJacking exploit development assistance tool. First open the “index.html” with your browser locally and enter target URL and click on “View Site”. You can dynamically create your own inputs. Finally by clicking the “Exploit It” you can see the P0C.


Defending against Clickjacking

There are two main ideas, one is for iframe tags, for processing, the implementation of frame busting:

if (top.location != self.location)
parent.location = self.location;

But the use of frame busting protection can be bypassed with some methods, such as the above method can be used to nest a number of ways to bypass iframe:

Attacker top frame:
<iframe src=”attacker2.html”>
Attacker sub-frame:
<iframe src=””>

Another idea is to use an HTTP header: X-Frame-Options, which has three optional values:

DENY: The browser refuses the current page to load any iframe page;
SAMEORIGIN: only allow the same page under the address of the frame;
ALLOW_FROM origin: Allows custom loading page address of the frame