Quantify Cyber Risk Now

header ads

Clickjacking Attack and Protection for Developers | Lucideus Research

Clickjacking is a technique which uses some transparent or opaque layers by which a user can be tricked to click on a hidden button/link them in a web page.  By clicking on this user will route/redirect to malicious links.
Different sorts of clickjacking enable hackers to trap clients into doing things like changing a status on Facebook or sending cash to their accounts.Clickjacking also called as "User Interface redress attack", "UI redress attack", or just "UI redressing".

This kind of attack is prevalent in bank frauds. In this article we will analyze the POC of clickjacking and also ways to remediate this vulnerability. To carry out this type of technique the attacker has to create a seemingly harmless web page that loads the target application through the use of an iframe (suitably concealed with CSS code). Once this is done, the attacker could induce the victim to interact with his fictitious web page by other means (through, for example, social engineering). Like other attacks, a common prerequisite is that the victim is authenticated against the attacker’s target website.

Proof of Concept:

For performing the proof of concept for clickjacking we need to have a basic understanding of basic HTML. In this POC we will create 2 HTML pages. First page would contain a message saying that “click here to win the prize”. This would seem like a harmless page which is giving users a chance to win a prize on click of a button. However, masquerading behind this page is the malicious page loaded in an iframe, hence, on click of the button (which user thinks is for winning the prize) the attacker can mislead the user to perform activities like transferring of funds to malicious accounts, downloading viruses etc. So now let’s start with the POC.

Step 1: We require 3 computers in  the same network for this POC (it can be quite easily done in a single machine or by using VMs too). Setup Apache web server in the computers A and B, to host the web pages. Let the computer C be the machine of unsuspecting user who will be victim of this POC. To install apache use following commands:

sudo apt-get install apache2
sudo service apache2 start
Step 2: Now let’s craft a Bank transaction page, which has a button to transfer 10 Million dollars from the account of the victim to the account of attacker. Host this page on machine A.
The basic HTML code for this page is (bank.html): <html> <form action="/jack.html"> Transfer 10 Million Dollars to XYZ Bank <input type="submit" value="Yes"> </form> </html>

Step 3: On clicking this “YES” button in the Bank page, we will display a message that “You have been clickjacked!!!!!”. This page can be easily coded as (jack.html):

<br><br>You have been clickjacked!!!!!

This page is a part of Bank website and will also be hosted on the machine A.

Step 4: Now we will craft the page to trap the victims. First let’s start by loading the Bank website in the iframe.

        <p> Congrats you are one of the lucky winners!!!</p>
    <div id='clickjack'>
         <iframe src="http://<ip address of machine A>/bank.html" width="326" height="70"  frameBorder="0"></iframe>

This page will look like the one below:

Here, we have loaded the Bank.html in another Attack.html page in an iframe and we have removed the iframe border using frameBorder="0" option. This looks like the part of same page. Now using CSS we will create a trap. Step 5: After implementing CSS the Attack.html page looks like the one below:

Here we have hidden the true alert message of the Bank with a hoax prize message, but we have left the button as it is for the victim user to click. Now, this web page will be hosted in the computer B. The final code of this Attack.html is:

   #over { font-size:30px; position:absolute; top:45px; left:16px; z-index:2 }
<p> Congrats you are one of the lucky winners!!!</p>
    <div id='clickjack'>
<iframe src="http://<ip address of the machine A>/bank.html" width="326" height="70" frameBorder="0"></iframe>
  <div id="over"><mark>click here to win prize</blink></div>


Step 6: Now the victim user from his/her system (machine C) will go to the Attack.html and click the “YES” button to “win the prize”, the result however would be:

This simple POC is enough to explain how easily a user can be trapped on the internet and now we will discuss the methodologies required to prevent this type attack.

Now the question is how can we remediate Clickjacking on our webpages?
There are several ways to prevent Clickjacking but the most well known approach against Clickjacking is to allow a type of "frame-breaking" which keeps other website pages from framing the webpage you wish to protect.
So, we will discuss about two methods to implement frame-breaking.

Javascript frame-breaking script (Framebuster)


The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
The added security is only provided if the user accessing the document is using a browser supporting X-Frame-Options.

Configuring Apache           

To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration:

Header always set X-Frame-Options SAMEORIGIN

To configure Apache to set the X-Frame-Options  deny , add this to your site's configuration:
Header set X-Frame-Options DENY

To configure Apache to set the X-Frame-Options  to ALLOW-FROM a specific Host , add this to your site's configuration:
Header set X-Frame-Options "ALLOW-FROM https://example.com/"

Configuring nginx                               

To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

add_header X-Frame-Options SAMEORIGI N;Javascript Frame Breaking script (Framebuster)
Frame busting can be achieved with a simple javascript technique. For Example:

 <script type="text/javascript">
if (top !== self) top.location.replace(self.location.href);


Post a comment