IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [clickjacking]

Clickjacking is an attack where the attacker overlays their own UI over a web page, "hijacking" the clicks that the victim makes on the page.

Clickjacking, also called a "UI redress attack", is an attack where the attacker hijacks the clicks that a user makes.

The attacker loads their own page in a transparant layer over the actual page. The clicks that are meant for the actual page are then redirected - they are hijacked. Thus, it is possible for a user to be genuinely authenticated on the actual page, but the attacker can intercept the actions that the user makes on the actual page and redirect them as he desires.

As a concrete example, it was possible to make people "like" something on Facebook without them knowing it using this attack. This was called "likejacking" (Facebook has since addressed the issue).

Sources and further reading:
OWASP page on Clickjacking
Wikipedia page on Clickjacking

52 questions
2
votes
3 answers

Content Security Policy against clickjacking fails with static PoC

I have a doubt regarding the use of the Content Security Policy (CSP) as protection mechanism against clickjacking. I have created an online Proof of Concept (PoC) on a web page where I put a button that loads the URL that is specified in an input…
Lennin
  • 41
  • 6
2
votes
2 answers

How to protect against clickjacking via pop-under windows?

Huang and Jackson described a method of clickjacking that does not rely on iframes, but on pop-under windows. Is this attack still relevant today, or is it prevented by pop-up blockers? Is there any way a site can protect against it? The attack…
Sjoerd
  • 28,707
  • 12
  • 74
  • 102
2
votes
1 answer

To protect against clickjacking, is it safe to have a web page display its content until framing is detected?

Let's assume we have a web page that can't use X-Frame-Options, and the Clickjacking protection has to be JavaScript based. On this page, all sensitive actions and the display of sensitive information are JS based, so for the sake of the question we…
kazhtaco
  • 23
  • 3
2
votes
2 answers

should one use "framekiller" code avoid others embedding https pages in iframes?

I found various discussions about https being embedded in iframes for various reasons. I tested it and saw that one bank site escapes the iframe and the other allows being embedded in an iframe. Google, for example, just does not load in an…
NamSandStorm
  • 227
  • 1
  • 6
1
vote
2 answers

How to set X-FRAME-OPTIONS where 3rd Party frame is required to be loaded?

We have set the set X-Frame-Options in the header as ALLOW-FROM same origin but there is a requirement to open below page from some 3rd party website. Do you see security issue here? HTTP::header replace X-Frame-Options "SAMEORIGIN"
Shritam Bhowmick
  • 1,602
  • 14
  • 28
1
vote
1 answer

When is it appropriate to provide clickjacking protection one of my websites pages?

I run a couple of websites, so I'm just wondering what is the appropriate use of clickjacking protection like the x-frame-options response header? What pages are susceptible to this kind of attack on my users?
Nick
  • 113
  • 2
1
vote
0 answers

Automating Clickjacking Attack

I found a clickjacking issue in a site and the site security team said me that i would require unusual user interaction. So I wrote a code above the iframe but I was not successful in achieving it. The site had two sensitive buttons which must be…
None_None
  • 45
  • 5
1
vote
0 answers

Clickjacking and XSS on file upload input?

I reported a self-xss on file uploader input to a bug bounty company and they said that they will only accept it if i can find a good clickjacking exploit for that input. My question is: Is it possible to make a clickjacking proof of concept on a…
Pong
  • 71
  • 5
1
vote
1 answer

Tracking script creates vulnerability

I am using a third party service that provided a tracking script which when embedded in the page seems to create some kind of vulnerability as occasionally people are redirected to a phising link instead. Big flashy text pretend microsoft login that…
benikens
  • 113
  • 2
1
vote
1 answer

Stealing page source via Clickjacking

I am learning Javascript. Also researching web based vulnerabilitys to learn. I just wondering how Javascript can be used to steal view page source or any text or any tokens leaking on the page via Clickjacking. I need a demo poc to see how it…
user11177344
  • 11
  • 3
1
vote
1 answer

X-Frame-Options header on redirect

I have several web applications running on my server (Debian 8 running Apache). One of my customers wants to improve the security of his app, after having some security audits carried out by a third-party company he showed me the vulnerabilities he…
bomba
  • 13
  • 1
  • 5
1
vote
1 answer

Loading a logged in page in an iframe

Suppose www.youtube.com have no X-Frame-Options set. Imagine I'm already logged in to YouTube. Now from another web page in the same browser I'm loading YouTube in an iframe, will the browser send all the auth-cookies to the YouTube loaded in the…
3lokh
  • 181
  • 5
1
vote
3 answers

How to avoid clickjacking in HTML and Javascript

I tried to put the following code in HTML but it is not helping me avoid me the clickjacking: meta http-equiv="X-Frame-Options" content="DENY" I wrote the following code in Javascipt: if (self == top) { …
Shreya Srivastava
  • 15
  • 1
  • 1
  • 5
1
vote
1 answer

If the site is not loaded in the frame, is the site vulnerable to click jacking.

Came across this question in SE How does this test prove my application is vulnerable to clickjacking attacks? I have a follow-up question and doubt, please help me to clear it. As per…
Rndp13
  • 111
  • 3
0
votes
1 answer

Protect from Facebook like clickjack

In the past month I've seen a better grade growth in sites that have clickjacking scripts that make you like the webpage or the Facebook site's Page when you click anywhere on the page. I have even seen sites that have this for "on Page close". I am…
Petre Popescu
  • 107
  • 1
1 2
3
4