Did You Click That Button? It Could Be Clickjacking!

Image from Adobe Stock

What is Clickjacking?

Have you ever clicked on a link or button on a website, only to find yourself unintentionally performing a different action? It could be a result of clickjacking. So, what exactly is clickjacking?

Clickjacking (also known as “UI Redress Attack”) is a type of attack that deceives users into clicking something they didn’t intend to. In such attacks, a malicious actor tricks users into clicking on a hidden button or link disguised as a legitimate one.

How Does It Work?

Clickjacking uses an invisible or transparent layer over a legitimate button or link. This layer is then manipulated to appear as the legitimate one that the user is intending to click on. The attacker then makes use of the hidden button or link to perform malicious activities without the user’s knowledge or consent.

How to Protect Against Clickjacking?

1. Keep software up to date.
2. Use an up-to-date web browser.
3. Use plugins / extensions that provide protection against clickjacking.
4. Check URLs before clicking on them.
5. Be wary of pop-ups.
6. Use anti-malware software.

Example Scenario

GitHub Link: Himashi-Karunathilake/Clickjacking (github.com)

In this example, there are 6 HTML files to be considered.

Both vulnerable_homepage.html and not-vulnerable_homepage.html has a button “Start Journey” which will direct the user to a page called galaxy.html when clicked.

Home page with the “Start Journey” button

The galaxy.html page

The two pages test_clickjacking_vulnerable.html and test_clickjacking_not-vulnerable.html checks whether the pages vulnerable_homepage.html and not-vulnerable_homepage.html are susceptible to clickjacking attacks respectively.

When the test_clickjacking_vulnerable.html file is opened in a web browser, it can be seen that the vulnerable_homepage.html is loaded to an iframe and that the “Start Journey” button in this iframe directs the user to the galaxy.html page (i.e., the webpage is working as expected within the iframe and users could mistake this for a legitimate page).

Home page loaded within an iframe

The galaxy.html page that was loaded as a result of clicking the “Start Journey” button in the iframe

However, when the test_clickjacking_not-vulnerable.html file is opened in a web browser, the user is being redirected to an error.html page indicating that this page is not susceptible for clickjacking.

The error.html page loaded as a result of being unable to load the home page to an iframe

Conclusion

In conclusion, clickjacking is a deceptive technique used by malicious actors to trick users into unknowingly interacting with hidden elements on a web page. It can lead to various security risks, such as unauthorized actions, data theft, or installation of malicious software. Understanding clickjacking and being aware of its potential dangers is crucial for internet users to protect themselves online.