Form Input

Clickjacking on Form Input

Overview of the Vulnerability

Clickjacking is a method of tricking a user into clicking on a link that performs an action, which is disguised as a legitimate link to something else. Usually, this is carried out by embedding a link into a transparent <iframe> HTML element which sits on top of a legitimate button on the webpage. This instance of clickjacking can allow an attacker to manipulate a user into performing unwanted actions when they believe they are clicking on a form input within the application.

Business Impact

Clickjacking can lead to reputational damage for the business due to a loss in confidence from users who are attempting to perform legitimate actions within the application.

Steps to Reproduce

Enable a HTTP intercept proxy, such as Burp Suite or OWASP ZAP
With the HTTP intercept proxy turned on, use a browser to navigate to: {{URL}}
Observe that {{action}} can be performed through only mouse-clicks
In a HTTP proxy, observe in the server response that there are no anti-clickjacking protections in place, such as the header Content-Security-Policy: frame-ancestors 'self' or the X-Frame-Options header set to DENY or SAMEORIGIN

Proof of Concept (PoC)

The screenshot below demonstrates the full exploit taking place:

Recommendation(s)

There is no single technique to prevent clickjacking attacks from occurring. However, there are multiple levels of defensive strategies that can be implemented to protect from clickjacking attacks. Some best practices include using appropriate HTTP response headers to ensure the browser disallows framing, or controls which domains it can occur from. These should be customized specific to the application and its environment. For example:

X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none';

For more information, please see:

PreviousClickjacking NextNon Sensitive Action

Last updated 1 year ago