Attack Library: Clickjacking

This week the Attack Library mini-series will focus on Clickjacking attacks – what they are, and how to defend against them.

A Clickjacking Attack, also known as a UI (User Interface) Redress Attack, is used by malicious threat actors to trick users into being redirected or submitting information without their consent or knowledge. To perform a Clickjacking attack the threat actor will create a transparent layer, over the top of the vulnerable website or application, which contains elements such as buttons and forms that are not visible to the user. The elements in this transparent layer will be arranged in such a way that they line up with existing elements on the application the user believes they are interacting with, for example the attacker could:

* Place an invisible form over the top of an existing account registration form in order to capture user information.

* Place their own invisible button on top of a legitimate download button so, when clicked, they download the attacker’s file instead of the legitimate one.

* Delivering nuisance pop-ups to the victim when they click anywhere on a webpage

As a user, what can you do to protect yourself from falling victim to a Clickjacking attack?

Aside from best practice such as keeping applications and plugins updated, browser plugins such as NoScript and AdBlockers can be installed which can help to protect you from Clickjacking attacks by recognising and removing threats as the site is loaded.

As a developer or webmaster, you can prevent Clickjacking and other web attacks such as Cross-Site Scripting by making use of the Content Security Policy (CSP) standard. CSP is supported by all modern browsers and allows you to communicate the content that should be allowed to render to the browser and approve the origin of such content.