Tuesday, 3 September 2013

What is Clickjacking Attack? How to Prevent?


Will answering simple maths quiz delete your Social Network account?  If your answer is "No", then check this news Linkedin Clickjacking Vulnerability and come back.  Will visiting a website turn on your webcam? The answer is "Yes".  Check this Flash player clickjacking vulnerability.

If you read above news completely, It will be easy for you to understand  what is clickjacking.  Ok, lets continue to our Article.

Clickjacking also known as UI Redressing,is one of Malicious Technique tricking users to click the button/image that will run hidden malicious script from another site.

An attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the innocuous page. Thus an attacker hijack the click to another website.  That's why it is known as Clickjacking(Click+Hijacking).  The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.


Example:
Lets take the real time example "Linkedin clickjacking vulnerability.

The above image may look like simple maths problem.  Once you click the submit button, it will delete your Linkedin account(if you are logged in) without asking any questions.


Clickjacking Attack can be used for:
  • Tricking users to turn on their webcam and microphone using this adobe vulnerability (this security flaw fixed by adobe)
  • Getting more Twitter Followers
  • Post in your facebook wall.
  • Can delete your profile.

Prevention Techniques:

Client Side(Security tips for users):
Flash Player:

Update your Flash Player(old version are vulnerable to Clickjacking).  


Browser Security Addons: 

Noscript:
Noscript is Mozilla add on that provides protection against clickjacking,XSS and other malicious scripts.  Noscript is available for mobiles also.

Comitari Web Protection Suite: Comitari provides client side protection against ClickJacking (aka UI Redressing) attacks. Installed as browser add-on

GuardedID: It is a commercial product which provides client-side clickjack protection for users of IE or Firefox without interfering with the operation of legitimate iFrames

Server Side( For Developers)

Frame Killer:
Framekiller is javascript snippet that can be used in webpage  to avoid inserting frames from different sources.  This can provide security against frame based clikjacking.

No comments:

Post a Comment