Security Glossary: WAF

Clickjacking

Clickjacking

Clickjacking is a deceptive cyberattack where a user is tricked into clicking on a webpage element that is either invisible or disguised as a different element. This type of attack can lead users to inadvertently perform actions such as downloading malware, visiting malicious websites, disclosing sensitive information, transferring money, or making unintended online purchases.

The attack typically involves layering an invisible webpage or HTML element over a visible page using an inline frame (iframe). To the user, the webpage appears normal, but in reality, their clicks are being redirected to this hidden layer. As a result, users believe they are interacting with the page they can see, when they are actually engaging with the invisible layer, which can lead to unintended consequences.

One common scenario of clickjacking is the manipulation of a legitimate webpage, such as a banking site, where the user might unintentionally authorize financial transactions. The attacker effectively hijacks the user’s click, redirecting it for their own benefit.

There are various forms of clickjacking attacks:

  • Likejacking: This variation targets social media platforms, such as Facebook. It involves manipulating the “Like” button so that users unknowingly “like” a page or content they did not intend to endorse. This technique can spread malicious content or inflate the popularity of a page fraudulently.
  • Cursorjacking: Another variant involves altering the user’s cursor position. The attacker changes the appearance or position of the cursor, misleading the user about their actual click location on the screen. This method has historically exploited vulnerabilities in web browsers and plugins like Flash, many of which have since been patched.

To protect against clickjacking, various defensive strategies can be employed. These include implementing frame-busting scripts, which prevent a webpage from being displayed within an iframe, and utilizing security features like the X-Frame-Options HTTP header, which can restrict how and if a page can be framed. Users can also increase their protection by keeping their browsers and plugins updated, as well as being cautious about their clicks and interactions on less familiar websites. Understanding and being aware of clickjacking tactics is crucial for both developers and users to safeguard against these deceptive and potentially harmful attacks.