Clickjacking

Clickjacking

Overview of the Vulnerability

Clickjacking is a method of tricking a user into clicking on a link that performs an action, which is disguised as a legitimate link to something else. Usually, this is carried out by embedding a link into a transparent <iframe> HTML element which sits on top of a legitimate button on the webpage. This instance of clickjacking can allow an attacker to manipulate a user into performing unwanted actions.

Business Impact

Clickjacking can lead to reputational damage for the business due to a loss in confidence from users who are attempting to perform legitimate actions within the application.

Steps to Reproduce

1. Enable a HTTP intercept proxy, such as Burp Suite or OWASP ZAP

2. With the HTTP intercept proxy turned on, use a browser to navigate to: {{URL}}

3. Observe that {{action}} can be performed through only mouse-clicks

4. In a HTTP proxy, observe in the server response that there are no anti-clickjacking protections in place, such as the header Content-Security-Policy: frame-ancestors 'self' or the X-Frame-Options header set to DENY or SAMEORIGIN

Proof of Concept (PoC)

The screenshot below demonstrates the full exploit taking place:

{{screenshot}}

Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. Your submission must include evidence of the vulnerability and not be theoretical in nature.

For a clickjacking vulnerability, please include a simple screenshot or a HTML payload that can be executed to easily demonstrate and reproduce the issue.

Attempt to escalate the clickjacking to perform additional actions (such as an account takeover or CSRF bypass to perform a sensitive action). If this is possible, provide a full Proof of Concept (PoC).

Recommendation(s)

There is no single technique to prevent clickjacking attacks from occurring. However, there are multiple levels of defensive strategies that can be implemented to protect from clickjacking attacks. Some best practices include using appropriate HTTP response headers to ensure the browser disallows framing, or controls which domains it can occur from. These should be customized specific to the application and its environment. For example:

X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none';

For more information, please see:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

• https://portswigger.net/web-security/clickjacking