Introduction

Clickjacking or the UI redress attack is a relatively new type of malicious attack that targets mainly web applications. It works by superimposing a webpage over another existing web page using an iframe, and the user interacts with the malicious superimposed page while presuming that he is interacting with legitimate page. A common clickjacking that we see around in social media websites is ‘like jacking’, wherein the attacker will trick the user to click on some other icon/filenames and route their click to the like button. This is a tremendous cheating technique that we see around now a days.

The term clickjacking was first coined by Jeremiah Grossman and Robert Hanson in 2008 during their research on web application security. Clickjacking is mainly a browser issue that allows malicious scripts to be executed on the client side. JavaScript is used to carry out clickjacking attacks as it is present on all browser platforms.

Many variants of clickjacking have been found over the years. They all have different functionality and all these variants are used by malicious attacks with impunity. Clickjacking has increased exponentially over the years, particularly due to the explosion of social media websites such as Facebook and Twitter. Attackers trick users into clicking links posted on their Facebook or Twitter feeds, redirecting users to malicious websites or tricking them into unintentionally clicking a link.

Some common exploits that can be triggered with clickjacking include:

• Manipulating a user into enabling their webcam and microphone using Flash
• Tricking users into following someone on Twitter
• Making users share links on Facebook
• Tricking users into liking links on Facebook

Likejacking

This is a variant of clickjacking that works primarily on Facebook. It works by tricking users into liking a webpage or link on Facebook. This scheme can be used by crackers to generated cash using advertisement schemes that depend of the number of clicks that a page can generate. Google’s AdSense is very commonly used in such schemes. Facebook provides a like bookmark that can prevent users from being unwilling victims in likejacking attacks.

Cursorjacking

Cursorjacking as the name suggests is another variant of the clickjacking attack where the attacker makes it appear as if the cursor is in a different place that it actually is. This can be used to redirect the attention of the user to another link that the attacker actually wants the user to click. This attack was first demonstrated by security researcher Marcus Niemietz.

iFrames

Now let’s learn what an iframe is. Iframe is a technique that is used to display a webpage inside a webpage. We need to set the width and height for iframe. The Synatx for iframe is:

<iframe src=”URL” width=”500″ height=”400″></iframe>

Clickjacking includes two nested iframes to crop and position contents on the targeted websites. The inner frame contains the targeted item and should be very large so that the user who is to click is viable without scrolling. The outer frame is smaller enough to display the targeted item. In order to carry a successful exploit on static pages of webservers, the position of inner frames needs to be done carefully. This can be positioned by setting coordinate values for XY. However, for dynamic pages, positioning an inner frame on fixed coordinates won’t work, as the user will click anywhere on the page, missing the target. This can be resolved by adapting URL fragment identifiers.

Operation

Clickjacking is a pure JavaScript based attack that manipulates DOM elements to trick unsuspecting users into doing whatever the attacker requires. The basic process that clickjacking employs is simple enough: it overlays an invisible iframe over the actual webpage component. This component may be a button or a link.

Now let’s look at an example and see how clickjacking is a real benefit for hackers. Let’s say I am in need of 1000 likes in Facebook and I am running a well-known WordPress site. For WordPress sites there are plugins available to enable ‘click jack for Facebook like’, unlike other websites where programming skills in Java are required if you want to make any Java websites vulnerable to clickjacking. You can install this plugin in any WordPress site to make that site vulnerable to clickjacking. So here, each time the visitor clicks on any button on my WordPress site, I get a like added on my Facebook page.

In the above page you can see the ‘Like’ button wherever you navigate with your cursor. A hacker can disable this ‘Like’ button so that the website visitor wont see the ‘Like’ button anymore when he moves the cursor. Any click on the webpage will earn a Facebook like that we have configured using the plugin. If you look at the Facebook page you can see one ‘Like’ got credited on your status.

The above example will help to better understand the process of clickjacking.

Testing Clickjacking Vulnerability in Websites

Want to learn more?? The InfoSec Institute Ethical Hacking course goes in-depth into the techniques used by malicious, black hat hackers with attention getting lectures and hands-on lab exercises. While these hacking skills can be used for malicious purposes, this class teaches you how to use the same hacking techniques to perform a white-hat, ethical hack, on your organization. You leave with the ability to quantitatively assess and measure threats to information assets; and discover where your organization is most vulnerable to black hat hackers. Some features of this course include:

  • Dual Certification - CEH and CPT
  • 5 days of Intensive Hands-On Labs
  • Expert Instruction
  • CTF exercises in the evening
  • Most up-to-date proprietary courseware available

Now let’s see how we can confirm the presence of clickjacking vulnerability on a server.The first step is to check wther our target website can be converted in to iframe.You can do this by creating an html file which includes an iframe carrying the targeted web address.The html code for doing this is:

<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <body>
     <p>Website is vulnerable to clickjacking!</p>
     <iframe src="http://www.target.site" width="500" height="500"></iframe>
   </body>
</html>

Now if you see “Website is vulnerable to clickjacking”, then your targeted webpage will be loaded into the iframe successfully.

Mitigation

Clickjacking is JavaScript based attack that can be very dangerous if not handled properly. Luckily there are several options available to security experts to mitigate such threats. Clickjacking mitigation can be implemented at both the client and server side, we will look at both alternatives in greater detail.

Client Side Mitigations

  • NoScript plugin

This is one of the easiest client-based solutions available. The NoScript plugin for the Firefox browser is the only free tool that provides a defence against clickjacking. It has a clear click feature that protects users from clickjacking and likejacking attacks. It does this by ensuring that JavaScript code is not allowed to generate iframes in any webpage without being allowed by the plugin itself. The disadvantage of this approach is that it works only for Mozilla Firefox based browsers. The plugin does not exist for other popular browsers.

  • GuardedID

GuardedID is a commercial product that offers protection from several threats including keyloggers and clickjacking. GuardedID does not interfere with the normal functioning of the web browser, it only forces all iframes to become visible. This effectively protects users from clicking dangerous links unknowingly. GuardedID only works with the Internet Explorer and Firefox web browsers.

Server Side Mitigations

  • Frame Busting

Frame busting refers to code that is used by a webserver to prevent the website to be loaded into any subframe. Nowadays frame busting is of high importance, as there are many advanced clickjacking techniques like drag and drop extract and injecting data. There has been a survey conducted by people from Stanford and Carnegie Mellon university and found that many industries are obvious the targets of clickjacking. The survey was to find frame busting code on the top 500 sites that contain JavaScripts. Going through each of these codes would be difficult, and a Java based browser emulator called HTML Unit was looked at. This tool was capable enough to dynamically frame pages. Out of these 500 sites, most of the sites frame bust only on the front side, ie the login page or the password reset page.

Frame busting code consists of conditional statement and counter action statement. To defend against clickjacking, the following simple frame busting code is used in websites.

i f ( top . l o c a t i o n != l o c a t i o n )

top . l o c a t i o n = s e l f . l o c a t i o n ;

Conditional statement is used to check for the presence of framing followed by counter action if framing is detected.

Frame busting conditional statements

Unique sites conditional statement
38% if (top != self)
22.5% if (top.location != self.location)
13.5% if (top.location != location)
8% if (parent.frames.length > 0)
5.5% if (window != top)
5.5% if (window.top !== window.self)
2% if (window.self != window.top)
2% if (parent && parent != window)
2% if (parent && parent.frames && parent.frames.length>0)
2% if((self.parent&&!(self.parent===self))&&(self.parent.frames.length!=0))

Counter action statement

Unique sites

counter-action

7 7 top.location = self.location
4 4 top.location.href = document.location.href
3 3 top.location.href = self.location.href
3 3 top.location.replace(self.location)
2 2 top.location.href = window.location.href
2 2 top.location.replace(document.location)
2 2 top.location.href = window.location.href
2 2 top.location.href = “URL”
2 2 document.write(”)
2 2 top.location = location
2 2 top.location.replace(document.location)
2 2 top.location.replace(‘URL’)
1 1 top.location.href = document.location
1 1 top.location.replace(window.location.href)
1 1 top.location.href = location.href
1 1 self.parent.location = document.location
1 1 parent.location.href = self.document.location
1 1 top.location.href = self.location
1 1 top.location = window.location
1 1 top.location.replace(window.location.pathname)
1 1 window.top.location = window.self.location
1 1 setTimeout(function(){document.body.innerHTML=”;},1);
1 1 window.self.onload = function(evt){document.body.innerHTML=”;}
1 1 var url = window.location.href; top.location.replace(url)

Frame busting or the Frame killer defence is a simple but effective method of protecting users from clickjacking attacks. Developers add a small JavaScript snippet at the start or end of the page; this prevents the particular page from being added into an iframe on another webpage.

<script>
if(top != window) {
top.location = window.location
}
</script>

Consider the snippet given above: it prevents the value of top.location from being changed, preventing attackers from redirecting the user to another webpage. However this method is very easy to circumvent; this is particularly true for IE, which offers a special iframe “restricted” element, which prevents the use of JavaScript inside an iframe.

<iframe security="restricted"
src="http://javascript.info/files/tutorial/window/changetop.html"
style="height:80px"></iframe>
  • X-Frame Options

Yet another server side clickjacking defense is through the use of X-Frame options. This method was first suggested by Microsoft to protect users against framing based attacks. This is also a best technique to defend against XSS attacks as well. The defence works by including a new option in the HTTP header called X-Frame-Options, which can take the following values:

  • ” DENY: prevents any domain from framing content (recommended)
  • ” SAMEORIGIN: allows only current domain to frame content
  • ” ALLOW-FROM uri: allows only the specified ‘uri’ domain to frame content

When DENY is given, the website can’t be displayed in a frame. When SAMEORGIN is given, the website will be displayed in the frame only if the origin of the top level browsing content is same as the origin of the content containing X frame options directive.

When ALLOW-FROM is given, the browser will block rendering only if the origin of the top level browsing content is different than the value supplied with Allow-From directive.

The X-Frame options are used to find out whether the browser is allowed to render a page in iframe. By enabling one of these options the web site owners can effectively allow or deny third parties from adding frames to other websites. X-Frame options are the most effective method of cutting down on all sorts of iframe attacks. This has the added advantage of being supported by all major browsers. The ALLOW-FROM option is a relatively new option and is not yet supported by all browsers, so this option should not be depended upon for security; it may fail on some browsers, leaving users open to clickjacking attacks.

Initially, not all browsers supported X-frames, but gradually as the attack on clickjacking kept increasing, browsers started to include methods to support X-frames. The following table shows the browsers that support X-frames. The X-frame setting needs to be done from the webserver side and from network devices. Big IP LTM (local traffic manager) has also the capability to set X-frames, which prevents attacks like clickjacking and XSS.

Browser Chrome FireFox IE Opera Safari
Version 4.1.249.1042 3.6.9 (1.9.2.9) 8 10.5 4.0

References