Clickjacking is a technique used to exploit users into clicking on something they didn’t mean to. It’s done by overlaying an illegitimate button or link overtop of the one that the user intended to click on.
Clickjacking can be used for malicious purposes, such as stealing your login credentials or installing malware on your computer. In this blog post, we will discuss what Clickjacking is, the dangers and how you can protect your site from being exploited!
What is Clickjacking?
Clickjacking is a technique used by attackers to trick users into clicking on something that they didn’t mean to. It’s done by overlaying an illegitimate button or link over the top of the one that the user intended to click on. It is an interface-based attack.
Users who are unaware of Clickjacking are the most prone to it. Clickjacking can be done through malicious ads, or by using social engineering tactics to lure the user into clicking on a link. Attackers will often use buttons that look very similar to the legitimate ones, in order to increase their chances of fooling the user.
How does Clickjacking Work?
Clickjacking works by embedding an HTML frame from one website into another. The attacker then tricks the user into clicking on the frame, which results in the user taking some action on the attacker’s website – without them even knowing it!
For example, let’s say you’re visiting a website and you see a button that says “Click here to win a prize!”. However, what you don’t realise is that this button is actually an HTML frame from the attacker’s website. When you click on it, you’re actually taking some action on the attacker’s website – without even knowing it!
The Dangers of Clickjacking
Clickjacking can be used for several different malicious purposes, such as:
Stealing your Login Credentials
Whatever you have typed into the login form on the legitimate website will be sent to the attacker’s website instead. From there, the attacker can use your credentials to login to the legitimate website as you!
If you’re tricked into clicking on a button that looks like it’s from your bank’s website, you might enter your login credentials into the attacker’s site – without even realising it! This can lead to the attacker gaining access to your bank account and stealing your money.
Installing Malware on your Computer
Through clickjacking, attackers can trick you into clicking on something that will download and install malware onto your computer. This can give the attacker complete control over your machine, allowing them to do whatever they want – without you even knowing it!
Once your device is attacked with malware, the attacker can then gain access to all of your personal information, such as your emails, photos, and even your banking information. You can get out of this malicious activity only by taking your device to the IT professional.
Displaying Unwanted Ads
Clickjacking can also be used to display unwanted ads on your screen. These ads are often from low-quality or even malicious websites, and can be difficult to close. It is different from ad injection, where the attacker modifies the ads on legitimate websites.
Turning on Web-Cam or Microphone
Clickjacking can also be used to turn on your webcam or microphone, without you even knowing it! This allows the attacker to spy on you and record everything you’re doing – without your consent. The purpose of doing this is usually to gather sensitive information or to embarrass you.
Redirecting you to a Different Website
Clickjacking can also be used to redirect you to a different website, without you even knowing it. This website might be a phishing site, designed to trick you into entering your personal information. Or, it could be a site that contains malware which will infect your computer.
How to Protect Against Clickjacking?
There are several ways that you can protect your website from being exploited by Clickjacking:
Use a Frame-Busting Code
A Frame-busting code is a piece of code that is used to prevent websites from being exploited by Clickjacking. It does this by detecting if the website is being loaded into a frame, and then disabling any functionality that could be exploited by Clickjacking. This code will prevent your website from being embedded into another website.
Use a Clickjacking Protection Plugin
There are several different Clickjacking protection plugins available, such as NoScript for Firefox and ScriptSafe for Chrome. These plugins work by preventing any scripts on the page from running unless they are from a trusted source. This helps to protect your site from being exploited by Clickjacking.
Use HTTPOnly Cookies
HTTPOnly cookies are cookies that can only be accessed by the web server. This helps to protect your cookies from being stolen by third-party scripts, which can then be used to hijack your account. You can set your cookies to be HTTPOnly by adding the following line to your .htaccess file:
Header set Set-Cookie “HttpOnly;Secure”
Use a Content Security Policy
A Content Security Policy (CSP) is a security policy that helps to protect against Clickjacking and other web-based attacks. The CSP is a set of rules that are used to specify what resources are allowed to be loaded on a web page. This helps to prevent Clickjacking attacks by preventing malicious scripts from being loaded on the page.
You can add a Content Security Policy to your website by adding the following header to your .htaccess file:
Header set Content-Security-Policy “default-src ‘self’;”
Use the X-Frame-Options
The X-Frame-Options header is used to specify whether or not a website can be embedded into another website. The three different values that can be used for this header are: SAMEORIGIN, DENY, and ALLOW-FROM.
SAMEORIGIN: This value specifies that the website can only be embedded into another website that is on the same domain.
DENY: This value specifies that the website cannot be embedded into another website.
ALLOW-FROM: This value specifies that the website can only be embedded into another website that is specified in the header. For example, if you wanted to allow your website to be embedded into www.example.com, you would use the following header:
Header set X-Frame-Options “ALLOW-FROM https://www.example.com”
You can also use multiple values for this header, by separating each value with a comma. For example, to allow your website to be embedded into both www.example.com and www.example2.com, you would use the following header:
Header set X-Frame-Options “ALLOW-FROM https://www.example.com,https://www.example2.com”
Use a Web Application Firewall
A web application firewall (WAF) is a piece of software that helps to protect your website from attacks. A WAF can be used to block Clickjacking attacks by blocking requests that contain malicious scripts.
Keep Your Software Up to Date
It is important to keep your software up to date, as Clickjacking attacks often exploit vulnerabilities in web browsers and plugins. By keeping your software up to date, you can help to protect your website from these attacks.
Educate Your Users
One of the best ways to protect your website from Clickjacking is to educate your users. Let them know about the dangers of Clickjacking and how to protect themselves. You can also add a warning message to your website that will be displayed if it is embedded into another site.
By following these steps, you can help to protect your website from being exploited by Clickjacking.
Clickjacking is a serious security threat that can be used to hijack your accounts and steal your information. By taking steps to protect your website, you can help to keep your site safe from these attacks.
If you think that your website has been compromised by a Clickjacking attack, you should contact a security expert to help you clean up the damage and secure your site.