IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [clickjacking]

Clickjacking is an attack where the attacker overlays their own UI over a web page, "hijacking" the clicks that the victim makes on the page.

Clickjacking, also called a "UI redress attack", is an attack where the attacker hijacks the clicks that a user makes.

The attacker loads their own page in a transparant layer over the actual page. The clicks that are meant for the actual page are then redirected - they are hijacked. Thus, it is possible for a user to be genuinely authenticated on the actual page, but the attacker can intercept the actions that the user makes on the actual page and redirect them as he desires.

As a concrete example, it was possible to make people "like" something on Facebook without them knowing it using this attack. This was called "likejacking" (Facebook has since addressed the issue).

Sources and further reading:
OWASP page on Clickjacking
Wikipedia page on Clickjacking

52 questions
4
votes
1 answer

Is the Framekiller really safe against clickjacking?

I am using this code. In the header section of the page, this CSS rule: html{display:none;} And then this javascript: if (self == top) document.documentElement.style.display = 'block'; else top.location = self.location; Can I consider it safe…
user1014351
  • 141
  • 3
3
votes
1 answer

Protect against clickjacking but allow framing on domain?

I'd like to protect against clickjacking using the X-Frame-Options header, but we occasionally frame secure content on the insecure version of our site1: Since it looks like only Firefox currently supports the ALLOW-FROM form of the header, I'm…
s4y
  • 131
  • 1
  • 5
3
votes
4 answers

How to detect bots clicking a link?

I own a url shortening service. I want to deliver only legitimate statistics to my clients. There are possible scenarios that a particular user writes a script to automatically open the shortened URL, thus making the statistics look bad. What are…
Ishan Jain
  • 31
  • 1
  • 2
3
votes
2 answers

Under what circumstances is my website vulnerable to clickjacking?

Most of the examples I have read start with a malicious website. Lets say I am creating a website without malicious intent. When does the website become vulnerable to clickjacking? Can this occur without a XSS vulnerability or without my server…
The Gilbert Arenas Dagger
  • 187
  • 2
  • 6
3
votes
2 answers

How protect mobile website against encapsulating into rogue native mobile app?

We are developping a mobile application (m.website.com). Is there a way to prevent a rogue developper to build an IOS / Android native app that simply encapsulate our website into the app using Webkit to perform UI Redress attacks or clickjacking…
MGagnon
  • 33
  • 2
2
votes
3 answers

Clickjacking on a site without user accounts

My understanding of clickjacking attacks is that an attacker could embed my site in his. The attacker then uses clever styling to trick the user into performing actions on my site, that they did not intend to perform. Suppose my site does not have…
Gus
  • 155
  • 1
  • 5
2
votes
1 answer

Malicious email in Outlook Sent folder, could it be a clickjacking exploit?

Recently I discovered there are malicious emails (with HTM attachment) in the Sent folder of an @hotmail account to some unknown recipients in (Outlook app in iPad). I immediately proceed to change the password and enabled 2FA to block unauthorized…
Zephyr
  • 151
  • 3
2
votes
0 answers

Implementing Checkmarx suggested clickjacking fix introduces high severity Client DOM XSS vulnerability

My organization has scanned our code using Checkmarx and the low severity issue Potential Clickjacking on Legacy Browsers was detected due to a JavaScript function firing on an HTML image click event. We have implemented the following suggested…
W. Young
  • 21
  • 2
2
votes
0 answers

Can this recommended OWASP framekiller code for protecting browsers that don't support X-Frame-Options be circumvented?

I have read and seen that javascript framekiller code doesn't seem to be widely espoused as a panacea solution. It's target use case seems to primarily be for legacy browsers or old browser versions that don't support X-Frame-Options. I am not sure…
user1821961
  • 121
  • 4
2
votes
0 answers

How good can X-Frame-Options HTTP header do against click-jacking?

X-Frame-Options HTTP header is used to tell if a webpage is allowed to be used in a frame/iframe. Frames can be used for click-jacking/UI-redress attacks. It is advised to set X-Frame-Options to 'DENY' to prevent page being used for…
Xfce4
  • 121
  • 1
2
votes
1 answer

Is it okay to only provide clickjacking protection on the login page?

I have a question about Clickjacking. The question is quite simple. Imagine a login flow like this: You visit the application login page, eg https://example.com/login.html. There is no Clickjacking protection (i.e. the X-Frame-Options header) on…
Bhuvanesh Kumar
  • 21
  • 3
2
votes
1 answer

How to prevent the following clickjacking attack?

The Security attribute was implemented to prevent XSS attacks in iFrames by disabling any JS implemented in the iFrame source, therefore indeed eliminating XSS attacks, but also disabling any security scripts like frame busters, killers & etc. For…
Boaz Tirosh
  • 633
  • 2
  • 7
  • 18
2
votes
2 answers

Clickjacking vulnerability of file attachment downloads?

A portion of our system exposes an HTTP file handler that transmits a file to the client provided that authentication and file ID are correct, and no response if not. The ASP.net server this is hosted on is instructed to add an X-Frame-Options…
Dan
  • 198
  • 5
2
votes
2 answers

How can someone stop clickjacking?

I was looking at a lecture of clickjacking and when I tried to create an iframe to go to website, I noticed that websites with no https are able vulnerable to clickjacking. Is there another way to stop clickjacking without SSL or do you need to use…
Miguel Nunez
  • 21
  • 2
2
votes
1 answer

Bypassing x-frame options possibility discussion

This has something to do with a different post I made: Other post While researching this a bit further I found the following blogpost: blog elev As I understand it this guy reads all content of a website and then displays it in his iframe. This way…
Wealot
  • 879
  • 2
  • 12
  • 25
1
2
3 4