Vulnerable.Live Blog

Everything You Need to Know About Clickjacking Vulnerability


Hey Everyone 👋

In this blog post, We will discuss everything you need to know about clickjacking attacks, how these attacks impact websites, how to test for clickjacking, and how to protect against clickjacking attacks again.

What is Clickjacking?

Clickjacking is a malicious technique of tricking the users into clicking on some other link on the page. The attacker tricks the user into clicking on some other link on the page, and thereby the attacker can steal the users' information or redirect them to some other site. Clickjacking is also known as "UI redress attack" or "UI redress vulnerability."

Clickjacking can be used from an attacker's website using web components such as JavaScript, IFRAMEs, images, FORM elements, or HTML tags. In some instances, these can be embedded inside trusted applications and websites that make users catch themselves off guard.

What is Clickjacking?

What are the different types of Clickjacking attacks?

Clickjacking can be divided into multiple categories. Let's understand 2 of them in detail:

Likejacking

Likejacking is an attempt to trick Facebook users into "liking" a page when they visit a website. This is done by the manipulation of the Facebook "Like" button. On Facebook, the "Like" button is loaded from Facebook domains using JavaScript. Using JavaScript to load the "Like" button can be manipulated to "like" a page even if the user does not intend to do so.

Cookiejacking

Attackers use various methods such as drag and drop to access the cookies of the user, which are stored in the browser. The cookies can be susceptible and can lead to many consequences.

What is the impact of clickjacking?

Hackers use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. Once the iframe is loaded, the attacker can create a form that looks identical to the form that you trust. These forms can be a payment form, login form, etc., which ends up with hackers accessing your account.

Clickjacking attacks are designed so that the attacker controls the information displayed on the user's screen and thus can trick users into visiting the malicious website or clicking unwanted links. This malicious activity is also known as the UI redress attack.

How to check if a website is vulnerable to clickjacking?

You can quickly check if a website is vulnerable to clickjacking or not in few clicks using Vulnerable.Live. Vulnerable.Live is a free online tool that lets you test if a website is susceptible to clickjacking or not.

Here's how you can test:

  1. Visit Vulnerable.Live
  2. Enter the website in the input and press enter

That's all you need to do to check if the website is vulnerable to clickjacking or not.

How to migrate clickjacking vulnerability?

Clickjacking vulnerability can be fixed using two security headers. Let's understand what they are:

  1. X-Frame-Options
  2. Content-Security-Policy

X-Frame-Options tells the browser whether or not to render the website into an iframe.

X-Frame-Options can be set to the following values:

  1. X-Frame-Options=DENY DENY – Reject all the domains.

  2. X-Frame-Options=SAMEORIGIN SAMEORIGIN – Only the current page is allowed inside the iframe, but the domain should be the same.

  3. X-Frame-Options=ALLOW-FROM URI ALLOW-FROM URI – Only allow specific URI's

Reading Guide: How to Fix Clickjacking on NGINX Server in 6 Simple Steps

Conclusion

The article guided you on how clickjacking works, defense mechanisms, and much more. Clickjacking is considered a low or a medium severity issue, but hackers can use clickjacking to trick your customer base.