Understanding Clickjacking Vulnerabilities

Omar Santos · ‎01-28-2020

Clickjacking is when a threat actor leverages multiple transparent or opaque layers to trick users into clicking on a link or any component of a web application to redirect them to another page (often a malicious website). Clickjacking is also known as a “UI redress vulnerability” or “UI redress attack”.

Clickjacking attacks involve a level of social engineering in order to trick users to click on the affected components or links and redirect them to a malicious website.

Certain clickjacking vulnerabilities could also allow user keystrokes to also be hijacked. For instance, an attacker can craft or modify a combination of CSS stylesheets, iFrames, and web forms, to trick users to believe they are typing in a password in a web application. However, they are instead typing it into an invisible frame controlled by the attacker.

Preventing Clickjacking Vulnerabilities

The following are a few methods to prevent clickjacking vulnerabilities and underlying attacks:

The web application or a website should be constructed to send proper Content Security Policy (CSP) frame-ancestors directive response headers to prevent the browser from allowing framing from domains not related to the legitimate application (i.e., external domains). To obtain more information about CSP frame-ancestors go to: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors and https://w3c.github.io/webappsec-csp/#directive-frame-ancestors
Design the web application (front-end/presentation layer) to ensure that session cookies are not included when the page is loaded in a frame using the SameSite cookie attribute.
Prevent the web (front-end) application from being loaded in an iFrame or prevent iFrames from being loaded (i.e., prevent “frame-busting” attacks).

The following additional resources provide detailed information on how to prevent clickjacking vulnerabilities at: