Definition
"Clickjacking
is a malicious technique of tricking web users into revealing confidential
information or taking control of their computer while clicking on seemingly
innocuous web pages."
Introduction
A
vulnerability across a variety of browsers and platforms, a clickjacking takes
the form of embedded code or script that can execute without the user's
knowledge, such as clicking on a button that appears to perform another
function.
The long list of vulnerabilities involves browsers, Web sites and plug-ins like
Flash."
How It Works?
ClickJacking
is a little bit difficult to explain however try to imagine any button that you
see in your browser from the Wire Transfer Button on your Bank, Post Blog
button on your blog, Add user button on your web-site, Google Gadgets etc.
ClickJacking gives the attacker to ability to invisibly float these buttons
on-top of other innocent looking objects in your browser.
So when you try to click on the innocent object, you are actually clicking on
the malicious button that is floating on top invisibly.
In other words, the attack is thrown by a malicious web page embedding objects,
possibly from a different site, such as framed documents or plugin content
(Flash, Silverlight, Java…) which may lead to unwanted results if clicked by
the current user (e.g. a “Delete all messages” button in your webmail or an
advertisement banner in a click fraud scheme). Using DHTML, and especially CSS,
the attacker can disguise or hide the click target in several ways which go
completely undetected by the user, who’s easily tricked into clicking it in a
more or less blind way.
JavaScript increases the effectiveness of these attacks hugely, because it can
make our invisible target constantly follow the mouse pointer, intercepting
user’s first click with no failure.
We can however imagine a few less effective but still feasible scriptless
scenarios, e.g. covering the whole window with hidden duplicates of the target
or overlaying an attractive element of the page, likely to be clicked (e.g. a
game or a porn image link), with a transparent target instance.
Examples
- Malicious
camera spying using Adobe's Flash.
- Flash, Java, SilverLight, DHTML Game or
Application used to Spy on your Webcam and/or Microphone.
- The
best defense against ClickJacking attacks is to use Firefox with the NoScript
add-on installed.