Questions tagged [clickjacking]

Clickjacking is an attack where the attacker overlays their own UI over a web page, "hijacking" the clicks that the victim makes on the page.

Clickjacking, also called a "UI redress attack", is an attack where the attacker hijacks the clicks that a user makes.

The attacker loads their own page in a transparant layer over the actual page. The clicks that are meant for the actual page are then redirected - they are hijacked. Thus, it is possible for a user to be genuinely authenticated on the actual page, but the attacker can intercept the actions that the user makes on the actual page and redirect them as he desires.

As a concrete example, it was possible to make people "like" something on Facebook without them knowing it using this attack. This was called "likejacking" (Facebook has since addressed the issue).

Sources and further reading:
OWASP page on Clickjacking
Wikipedia page on Clickjacking

52 questions
37
votes
2 answers

Is Clickjacking a real security vulnerability?

As I understand it, this is how an attacker would exploit clickjacking: Create a new website malicioussite.com which includes my site in a frame, but overlays malicious input fields or buttons over the HTML elements of my site. Send out phishing…
Nathan
  • 473
  • 1
  • 4
  • 7
13
votes
4 answers

How do I protect myself from clickjacking attacks?

I've seen many friends getting clickjacked on Facebook and similar sites. How does one detect and prevent clickjacking? How should I teach my friends to do the same?
Manishearth
  • 8,237
  • 5
  • 34
  • 56
12
votes
2 answers

How to protect against clickjacking attack but allow legit iframes?

I'm aware of modern anti-clickjacking approaches, such as X-Frame-Options header or framekiller scripts. But all these tactics prevent content to be inside iframe. But what if there is a requirement for content to be in iframe, such as Twitter…
9
votes
3 answers

How to add X-Frame-Options header to a simple HTML file?

I am having trouble adding X-Frame-Options header to a simple HTML file. Is there any way to do it using JavaScript?
sam
  • 93
  • 1
  • 1
  • 3
7
votes
1 answer

Protection against clickjacking in Firefox without installing addons?

On some of my workstations I never allow Javascript in Firefox. The NoScript addon is installed on these machines, but I would like to remove it and disable Javascript via about:config instead. However, it seems that NoScript also protects against…
user83098
  • 73
  • 5
5
votes
2 answers

How to trace source of clickjacking attack within a website using developer tools?

When surfing a popular Wordpress website on my mobile, clicking on a link to an article within would sometimes open a new window to a malicious website or launch the Apps Store. I am interested to find out how this is being done using the developer…
Question Overflow
  • 5,220
  • 6
  • 27
  • 48
5
votes
1 answer

Content-Security-Policy: Getting weird reports with frame-ancestors 'self'

Right now, I maintain the Content-Security-Policy for https://www.lidl.de, which is: Content-Security-Policy: frame-ancestors 'self'; block-all-mixed-content; report-uri https://lidlcsp.report-uri.io/r/default/csp/enforce; The part with…
HorstKevin
  • 1,328
  • 2
  • 14
  • 27
5
votes
2 answers

Is this a secure method for dynamically setting X-Frame-Options? (multiple domains)

X-Frame-Options header will prevent your site from being iFramed by other domains. On browsers that accept the ALLOW-FROM directive you are limited to specifying only a single origin. You could use a CSP 2.0 frame-ancestors directive for modern…
Alex Urcioli
  • 382
  • 2
  • 10
5
votes
1 answer

How to "deliver" a clickjacking attack?

How can a hacker deliver a clickjacking attack? Does the hacker need to manipulate a "good.com" website and change its original code? Does the hacker create an "evil.com" website and just put a transparent layer with malicious code over the…
Bob
  • 508
  • 1
  • 3
  • 13
4
votes
2 answers

Is it neccessary to use X-FRAME-OPTIONS to prevent ClickJacking attacks?

I use this Javascript Code, and it works perfectly: if (top.location != location) top.location.href = location.href Many researchers told me to not use this. Can any one bypass it? Are there any risks in using this,if yes what? One of them told me…
Ashesh
  • 75
  • 1
  • 6
4
votes
4 answers

how can this prove a clickjacking vulnerability?

How does just putting a site link in an iframe (and when opens in iframe) indicate that the site is vulnerable to a click jacking attack? I have also read that if the site is a forum base, then the vulnerability could be critical. Why? please…
user80851
  • 41
  • 1
  • 2
4
votes
1 answer

How to create a secure embeddable HTML form?

I have an https website and I want to let other websites embed one of the pages on my website that lets users of my service log in and submit a form, similar to Paypal's payment iframe or Plaid's Link. Many such services exist, and from what I have…
4
votes
1 answer

How to steal source code through clickjacking?

Is it possible to steal the source code through clickjacking, so that attacker can also steal the CSRF tokens? This is a demo attack website:

DRAG…

4
votes
1 answer

iframe Checkout Procedure

I'm working for a company that wants to allow anyone to embed an iframe in which users can buy products on potentially any site. So it would be a typical use case for users to enter in their credit card info into this iframe. I'm aware that…
clarkatron
  • 143
  • 3
4
votes
2 answers

Bypass x-frame-options for clickjacking

Is there any way to bypass the x-frame-options header without using a MitM or changing the packets in another way? So actually getting a site that has x-frame-options: DENY to be shown in an iframe.
Wealot
  • 879
  • 2
  • 12
  • 25
1
2 3 4