How to Prevent a Clickjacking Attack

Steve McFarlane
Categories : Enterprise security ,Computing
Tags : Computing enterprise security topics network

Page content

Clickjacking attacks are conducted by transparently overlaying some benign web element with some other function, input field, button etc. The objective is to misdirection the user’s actions to have them do something they hadn’t intended to do, usually as they interact with a legitimate website. According to security researcher Robert Hanson “there are multiple variants of clickjacking. Some of it requires cross-domain access, some doesn’t. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF to pre-load data in forms, some don’t. Clickjacking does not cover any one of these use cases, but rather all of them. That’s why we had to come up with a new term for it - like the term or not.”

Examples

Clickjacking attacks can be executed in a number of interesting ways, so any one example will only touch the tip of what is possible with this type of attack. By way of an example, a clickjacker can take a login button from one site and hide it under a different element on an invisible page that when clicked could initiate malicious code. It is also possible for an attacker to trick a flash game player to click a seemingly innocent button that could grant site access to the computer’s webcam and microphone.

Preventing Attacks

There are in fact a number of security vulnerabilities that are exploited using clickjacking. They range from Adobe Flash vulnerabilities to ActiveX control options. This kind of attack can be difficult to police because the browser often sees the clickjacking attacks as authorized requests from the user, thus opening the way for all sorts of malicious actions to be executed through the victim’s browser and other software such as Adobe Flash. While there are some steps that users can take to protect themselves, the most effective security measures will have to be done on the back-end, especially considering that the most effective solution will limit and impede a website’s functionality. Here are some ways to protect yourself against these attacks:

Update your Software – the clickjacking security threat has been addressed somewhat by software updates to popular Internet related software. You should upgrade your browsers, extensions and add-ons. If you haven’t done so as yet you should upgrade to the latest version of Adobe Flash. Adobe recommends customers Flash Version 10.0.12.36.

Block Scripts - If you use the Firefox browser you can install the NoScript add-on. NoScript is an add-on that can prevent scripts from loading. It also uses a technology called ClearClick that provides protection against frame-based attacks. In essence, ClearClick reveals disguised and embedded elements and prevents their execution. The problem with the NoScript solution is that it will disable certain kinds of content, including some ads and video, which is a feature that website owners will not want users to use to disable ads.

Move Elements Around – Since the attacker will need to know exactly where to locate the invisible screen of a legitimate element (i.e. button or link), it is possible to thwart an attacker by moving around website elements that may be highjacked. The disadvantage of using this method is that it may make it more difficult for users to use the page or may simply make the page less attractive.

Edit Your Flash Settings - There are certain permissions settings that give control over whether Flash applications will have access to the computer. Turning them off is a precautionary measure against clickjacking attacks. You can do so by changing the “Global Settings” in Flash. Go to the Adobe Flash Player Settings Manager for access to your global preferences - you can access it by right-clicking on any Flash movie and selecting “Global Settings.” Set the “Global Privacy Settings” and “Global Security Settings” to “Always Deny”.

Frame Busting - An approach that Microsoft took in response to the clickjacking threat has been to enable Web developers to specify and restrict what website content can’t be broken out and framed by another site. The technique is known as frame-busting; it is also a technique that can be implemented by developers using javascript to restrict frame usage. It is a technical approach that requires the Web developer to send an HTTP response header, named X-FRAME- OPTIONS, with HTML pages to restrict how the page can be framed.

Require an Additional Action – You can require your users to complete an additional action, such as entering a password or solving a CAPTCHA in addition to clicking a critical button. Admittedly, using such strategies will turn off users who do not like being asked to perform actions not necessary to the core functioning of the site. As a work-around, you can ask the user to complete the additional tasks only when a frame is detected.

Reference:

“Clickjacking details,” https://ha.ckers.org/blog/20081007/clickjacking-details/
“Update Flash to protect against Clickjacking” https://www.internetnews.com/skerner/2008/10/update-flash-to-protect-agains.html
“Does your browser prevent clickjacking?” [https://www.internetnews.com/dev- news/article.php/3799231/Does+Your+Browser+Prevent+Clickjacking.htm](https://www.internetnews.com/dev- news/article.php/3799231/Does+Your+Browser+Prevent+Clickjacking.htm)

Image Credit:

“Clickjacking Preventing,” Florian