Clickjacking

Clickjacking is a technique in which a computer hacker superimposes the display of a website and then causes its users to perform seemingly harmless mouse clicks and / or keystrokes.

functionality

Attackers let the unsuspecting users - apparently - click on the overlaid objects. In fact, however, the original content (button / link) of the website is triggered. This is how it happens that the user - instead of just clicking on the predicted links at one point - triggers any action defined by the hacker.

This affects pages that contain, for example, links and buttons for configuring system settings. So while the user thinks he is making harmless entries on a website, he is actually changing without realizing it, e.g. B. Settings of a connected camera or microphone .

For example, a website button that is used to send login data can be overlaid with a button that is invisible to the user. This can be used to transmit the information to the attacker.

Countermeasures

Clickjacking is a conceptual issue of JavaScript and web application security. It is not due to an "error" by the application programmer, so countermeasures are not trivial.

Almost all browsers have now introduced the option for web applications to send an "X-Frame-Options" header, which indicates to the browser whether the website can be displayed in a frame or not. The values ​​"DENY" (page may not be displayed in frame), "SAMEORIGIN" (page may only be displayed by frames on the same domain) and "ALLOW-FROM" (page may be displayed by specified domain and URL) are possible. . The prerequisite for this protection is that it is supported by both the web application and the browser. The header is not yet an official standard. It is supported by Internet Explorer from version 8.0, Firefox from 3.6.9, Opera from 10.50, Safari from 4.0 and Chrome from 4.1.249.1042. Konqueror only supports this option when using the Webkit engine, which replaces the older KHTML.

There is also the option of preventing the output of the page in older browsers with the help of a JavaScript frame killer . However, it must be noted that the page is hidden before the JavaScript is executed and is only displayed after a successful frame check. Otherwise the frame killer can be avoided.

<style> html{display : none ; } </style>
<script>
   if( self == top ) {
       document.documentElement.style.display = 'block' ; 
   } else {
       top.location = self.location ; 
   }
</script>

literature

• Franco Callegati, Marco Ramilli: Frightened by Links. In: IEEE Security and Privacy. 7, 6, Nov. 2009, ISSN  1540-7993 , pp. 72-76, doi : 10.1109 / MSP.2009.177 .

Web links

• Message on heise.de
• Details of clickjacking attacks published . computerworld.ch. October 10, 2008. Retrieved November 24, 2008.
• New Insights into Clickjacking - Owasp AppSec Research 2010
• UI Redressing: Attacks and Countermeasures Revisited
• Web Application Security Clickjacking - protect client and server systems against mouse click theft

swell

1. ↑ https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
2. ↑ http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00
3. ↑ https://bugs.kde.org/show_bug.cgi?id=259070
4. ↑ http://seclab.stanford.edu/websec/framebusting/framebust.pdf