Clickjacking
Clickjacking is another form of attack to lure user to do unintended action, like being lured into a new site or advertisement. It requires user to perform ordinary actions like clicking a button or a link but a click mechanism masks it, altering the user interface intention.
Description
Clickjacking makes use if invisible <iframe>
to place under the commonly clicking user interface object, like button or link. When the user clicks on the UI thinking it was the intended action, he/she clicked the iframe
instead, without awareness. Hence, the action got lured into the unintended iframe instead.
Potential Attacking Model
I/O Manipulation
Clickjacking allows approval for I/O usage in a browser. This happens for Flash plugin sites, like granting camera and microphone usage.
Unintended Data Harvesting
Happens commonly for social media hijacking or propagation, such as increasing like count for group / page / post in Facebook or Twitter.
Best Practices
- EMPLOY UI DEFENSIVE CODES. This set the current frame as top of windows, putting hijacker's iframe to the lowest.
- COMPLY TO PREVENTION GUIDELINES. Available at OWASP: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet