Abstract
Clickjacking attacks are an emerging threat on the Web. The attacks allure users to click on objects transparently placed in malicious Web pages. The resultant actions of the click operations may cause unwanted operations in the legitimate websites without the knowledge of users. Recent reports suggest that victims can be tricked to click on a wide range of websites such as social network (Facebook, Twitter), shopping (Amazon), and online banking. One reported incident on clickjacking attack enabled the webcam and microphone of a victim without his/her knowledge. To combat against clickjacking attacks, application developers need to understand how clickjacking attacks occur along with existing solutions available to defend the attacks. This chapter shows a number of basic and advanced clickjacking attacks. The authors then show a number of detection techniques available at the client, server, and proxy levels.
TopBasic Clickjacking Attack Technique
A clickjacking attacker has all the capabilities of a web attacker. He/she owns a domain name and controls the contents served from web servers, and can make a victim visit a malicious website, thereby rendering attacker’s supplied content in the victim’s browser. When a victim visits the attacker’s page, the page hides a sensitive UI element visually or temporally, and lures a user to perform actions (e.g., clicking on element) which may be out of context and without the knowledge of a user where it is actually being clicked.
To date, there are two kinds of widespread clickjacking attacks in the wild: Tweetbomb and Likejacking (Kharif 2012). In both attacks, an attacker tricks victims to click on Twitter’s Tweet or Facebook’s Like button using hiding techniques, causing a link to the attacker’s site to be reposted to the victim’s friends and thus propagating the link virally. These attacks increase traffic to the attacker’s site and harvest a large number of friends or followers.
We classify clickjacking attacks into three types based on how users are forced or allured to click on objects out of context (Huang, Moshchuk, Wang, Schechter & Jackson, 2012): (i) target display manipulation, (ii) modification of pointer location, and (iii) modification of timer event. We discuss the three techniques with examples below:
Key Terms in this Chapter
Cursorjacking: Similar to pointer jacking.
ClickIDS: An automated tool to prevent clickjacking attacks within browsers.
Noscript: A browser extension tool to prevent JavaScript code execution.
Framebsting: Javascript code to stop web page rendering within iframe.
Pointer Jacking: Stealing of actions based on mouse pointer-based clicks.
Web Security: A set of procedure and practices to protect web servers and end users.
Clickjacking: Stealing of clickable actions on web page through overlay frame.