Click Jacking

This is a hacking method where the hacker is getting the user to click on a resource that is not the resource that the user is intending to click. This can be a swapped resource but is typically a hidden clickable layer. The button can either be clear and steals the click of the user or it can be opaque and innocuous like a video play button, but the click falls through it and clicks the iframed item hiding behind it. Use the opacity and z-axis html settings to position and hide one of the layers.

<html>
    <head>
        <title>clickjacking.site</title>
    </head>
    <style type="text/css">
        #myframe{
            width: 100%;
            height: 600px;
            border: none;
            position: absolute;
            top: 0px;
            bottom: 0px;
            left: 0px;
            right: 0px;
        }
    </style>
    <body>
        <frame id="myframe" src="TargetPage.site" scrolling="no"></frame>
    <body>
</html>

Page layering:

Use opacity and z-index to layer the html. Example sets may look like:

Layer1) zindex:1; opacity:0.2; and Layer2) z-index: -1; In a real attack the opacity would be at 0.

The inverse is also possible depending on the click jack relationship we want to abuse.

Mitigations:

There are many methods that have been used over the years. The list below is an approxomet order of which to use for threat mitigation. Combining several will always be the best solution.

• HTTP X-Frame-Options= <Deny or Same Origin>

• Browser Frame-Breaker

• Content security policy

• Embedded JavaScript iframe escape in page

Mitigation circumvention:

If the Embedded JavaScript iframe killer is the method used this can be defeated by the hacker site.

<script>
    if(top != window){
        top.location = window.location
    }
</script>

Common Clickjack Activities:

Likejacking: Facebook like button clickjacking

Cursorjacking: Modifying the mouse cursor position off axis from its visual position to get unintended clicks.