| Blog
Transparent browser window which only contains a green play button with a mouse cursor on it. The page is superimposed over the actual page, which contains on the same position a virus button.

What is clickjacking and how to mitigate it?

In today’s era cyberattacks are evolving every day and cybercriminals are finding new and more sophisticated ways to exploit vulnerabilities. While we’re aware of ransomware attacks that have occurred over the past few years, numerous others aren’t as discussed.

One such attack is clickjacking. These attacks are notorious for their inconspicuous technique and can cause a lot of damage. Here's what you need to know if you've heard this term before but aren't sure what it means.

In this article, we'll be discussing what clickjacking is, how it affects web security, its different kinds, and how to mitigate it. So, let’s get started.

What is clickjacking?

Clickjacking (otherwise known as UI redressing) is an attack where a user unintentionally clicks on an invisible button placed over the visible web page user interface. This is possible when the invisible button is present in the iframe layer which is essentially superimposed over the actual page.

So, when a user clicks on some area thinking of performing a particular action, they are actually performing some other action.

If you look at this kind of attack, the website and its users are the victims. The legitimate website becomes notorious for its loophole, making the users a direct victim of whatever the attacker’s intention may be.

Types of clickjacking attacks

Based on the cyberattacker’s intention, the clickjacking attack can be classified and categorized into several types. A few of these include:

  • Likejacking: There’s a like button present, on clicking you unintentionally like a post or a page.
  • Cursorjacking: A duplicate cursor is attached to the actual one, with a certain offset. This way you only see the duplicated one, and when you think you’re clicking a particular area, you actually click somewhere else.
  • Login Credential Theft: Your login details of social media platforms, banks, etc. are stolen.
  • Location Identification: The clicking will enable your location and the hacker will be able to see it.
  • Fund Transfers: Attackers make you transfer funds to their account without you ever intending or knowing that you did so.
  • Malware Downloads: Malicious apps are downloaded without knowledge.
  • Product Purchases: This is similar to fund transfers, but instead of just transferring them, you are buying something.
  • Webcam or Microphone Activation: This one’s self-explanatory, you unintentionally turn on your camera or mic.

These are a few common types of clickjacking attacks, but they’re not the only ones. The intentions can vary based on the attackers and what they’re looking for.

How to prevent clickjacking attacks?

Now that you know about clickjacking attacks, let’s look at how to prevent them. There are primarily two ways in which this can be done, and there are a couple of methods in each that you can leverage. Here’s how it goes.

Server-side prevention

As previously mentioned, clickjacking attacks can be prevented in two methods. One of these methods and also the recommended one is the server-side mitigation, since it cannot be bypassed. Website operators are encouraged to send the X-Frame-Options or the Content-Security-Policy header in their responses. These headers tell the browser which pages are allowed to be included in an <frame>, <iframe>, <embed> or <object>.

So, the focus should be on ensuring that the website cannot be encapsulated into an iframe layer used for the attack. The two ways in which this can be done are as follows:

Content-Security-Policy (CSP)

The Content-Security-Policy, CSP for short, is an http response header. With this header, it is possible for website operators to control which resources for this page can be loaded by the user agent.

The frame-ancestors directive can be used to control the browser, which website is allowed to embed the requested page.
To reliably prevent clickjacking using CSP, the frame-ancestors directive should be set to 'none'. Thus, the site cannot be embedded by anyone else. You can also set the value to 'self', and this would mean that only your domain can embed the website or the webpage into a frame.

Content-Security-Policy: frame-ancestors 'none';

Besides this, the CSP also prevents attacks such as cross-site scripting, which is yet another common web attack.

X-Frame-Options

The X-Frame-Options, or XFO, is also an http response header that can be used to prevent clickjacking attacks. However, it is recommended to use the Content-Security-Policy, as it can also protect against other web attacks.

Nevertheless, many websites still use the X-Frame-Options header. If you want to prevent any page from integrating yours, as in the example above, the XFO header can be set with the value DENY. In order to allow the integration only for your website, SAMEORIGIN can be used instead.

X-Frame-Options: DENY;

Client-side prevention

While server-side prevention techniques are quite useful and highly secure, the client-side techniques are not as reliable. This is because these can still be circumvented or overcome in some form by the attackers and execute a successful clickjacking attack.

The two major ways used here are:

Frame Busting

Frame busting refers to a code snippet provided by a website to prevent clickjacking attacks. This code snippet usually consists of JavaScript and prevents the page from being encapsulated within an iframe.

If you want to learn more about frame busting, here's a great Stanford University study about "clickjacking vulnerabilities at popular sites".

NoScript Browser Extensions

A more advanced client-side protection is the browser extension NoScript. The extension has an anti-clickjacking feature called ClearClick, which is enabled by default. NoScript detects whenever the user interacts with an embedded element that is completely or partially obfuscated. If such an interaction is detected, it is blocked and the user is warned about the potential UI redressing threat.

Due to NoScript's advanced protection of numerous web attacks, it is also a built-in key security component of the Tor Browser.

Vulnerar's role in preventing clickjacking attacks on your website

Vulnerar offers a sophisticated http security header scanner that identifies vulnerabilities immediately. This tool helps website operators to analyze their response headers and eliminate invalid or insecure configurations before they can be exploited by attackers. It also detects more than 9 vulnerabilities that can be mitigated by using http headers, such as clickjacking, cross-site scripting, and many others.

You can find our free tool here.