Clickjacking Attack
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.It is a browser security issue that is a vulnerability across a variety of browsers and platforms.
A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.Clickjacking can be understood as an instance of the confused deputy problem, a term used to describe when a computer is innocently fooled into misusing its authority
What is clickjacking?
Clickjacking attack allows to perform an action on victim website, Mostly Facebook and Twitter accounts are targetable.
when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top
level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both. It may be similar to CSRF Cross Site Request Forgeries Attack.
Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in
2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they
are typing in the password to their email or bank account, but are instead typing into
an invisible frame controlled by the attacker.
At present this attack mostly use on social network websites like Facebook and twitter, Because this attack is used by convinced victim for click on the link and SocialNetwork website might be very useful for attack on victim.
when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top
level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both. It may be similar to CSRF Cross Site Request Forgeries Attack.
Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in
2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they
are typing in the password to their email or bank account, but are instead typing into
an invisible frame controlled by the attacker.
At present this attack mostly use on social network websites like Facebook and twitter, Because this attack is used by convinced victim for click on the link and SocialNetwork website might be very useful for attack on victim.
An example of clickjacking
Suppose an online store has a page where a logged in user can click “Buy Now” to purchase an item. A user has chosen to stay logged into the store all the time for convenience. An attacker site might create an “I Like Ponies” button on one of their own pages, and load the store’s page in a transparent iframe such that the “Buy Now” button is invisibly overlaid on the “I Like Ponies” button. If the user visits the attacker’s site, clicking “I Like Ponies” will cause an inadvertent click on the “Buy Now” button and an unknowing purchase of the item.
Preventing clickjacking
Modern browsers honor the X-Frame-Options HTTP header that indicates whether or not a resource is allowed to load within a frame or iframe. If the response contains the header with a value of SAMEORIGIN then the browser will only load the resource in a frame if the request originated from the same site. If the header is set to DENY then the browser will block the resource from loading in a frame no matter which site made the request.
Django provides a few simple ways to include this header in responses from your site:
1. A simple middleware that sets the header in all responses.
2. A set of view decorators that can be used to override the middleware or to only set the header for certain views.
The X-Frame-Options HTTP header will only be set by the middleware or view decorators if it is not already present in the response.
Modern browsers honor the X-Frame-Options HTTP header that indicates whether or not a resource is allowed to load within a frame or iframe. If the response contains the header with a value of SAMEORIGIN then the browser will only load the resource in a frame if the request originated from the same site. If the header is set to DENY then the browser will block the resource from loading in a frame no matter which site made the request.
1. A simple middleware that sets the header in all responses.
How to use it
- A visitor is lured to evil page. No matter how. “Click to get 1000000$” or whatever.
- The evil page puts a “get rich now” link with
z-index=-1
. - The evil page includes a transparent
iframe
from the victim domain, sayfacebook.com
and positions it so that “I like it” button is right over the link.
Here’s how it looks (half-transparent iframe for demo purposes):
01 | < style > |
02 | iframe { /* iframe from facebook.com */ |
03 | width:300px; |
04 | height:100px; |
05 | position:absolute; |
06 | top:0; left:0; |
07 | filter:alpha(opacity=50); /* in real life opacity=0 */ |
08 | opacity:0.5; |
09 | } |
10 | </ style > |
11 |
12 | < div >Click on the link to get rich now:</ div > |
13 | |
14 | < iframe src = "/files/tutorial/window/clicktarget.html" ></ iframe > |
15 |
16 | < a href = "http://www.google.com" target = "_blank" style = "position:relative;left:20px;z-index:-1" >CLICK ME!</ a > |
17 |
18 | < div >You'll be rich for the whole life!</ div > |
click on the link actually happens on the iframe.
On Twitter, it was the “Follow” button.
Same code, but transparent iframe (click to see the victim button pressed):
Actually, any single-click action is doable. All we need is to position the victim site iframe right. Most of time, the markup allows it.
Key events are much harder to hijack, because if the iframe is invisible, then the text in it’s input fields are invisible too. The visitor will start to type, but won’t see any text and won’t continue the action.
click on the link actually happens on the iframe.
On Twitter, it was the “Follow” button.
Same code, but transparent iframe (click to see the victim button pressed):
Actually, any single-click action is doable. All we need is to position the victim site iframe right. Most of time, the markup allows it.
Key events are much harder to hijack, because if the iframe is invisible, then the text in it’s input fields are invisible too. The visitor will start to type, but won’t see any text and won’t continue the action.
- A visitor is lured to evil page. No matter how. “Click to get 1000000$” or whatever.
- The evil page puts a “get rich now” link with
z-index=-1
. - The evil page includes a transparent
iframe
from the victim domain, sayfacebook.com
and positions it so that “I like it” button is right over the link.
Here’s how it looks (half-transparent iframe for demo purposes):
01 | < style > |
02 | iframe { /* iframe from facebook.com */ |
03 | width:300px; |
04 | height:100px; |
05 | position:absolute; |
06 | top:0; left:0; |
07 | filter:alpha(opacity=50); /* in real life opacity=0 */ |
08 | opacity:0.5; |
09 | } |
10 | </ style > |
11 |
12 | < div >Click on the link to get rich now:</ div > |
13 | |
14 | < iframe src = "/files/tutorial/window/clicktarget.html" ></ iframe > |
15 |
16 | < a href = "http://www.google.com" target = "_blank" style = "position:relative;left:20px;z-index:-1" >CLICK ME!</ a > |
17 |
18 | < div >You'll be rich for the whole life!</ div > |
A click on the link actually happens on the iframe. Bingo! If the visitor is logged into facebook (and most of time he is), then
facebook.com
receives the click on behalf of the visitor.
On Twitter, it was the “Follow” button.
Same code, but transparent iframe (click to see the victim button pressed):
Actually, any single-click action is doable. All we need is to position the victim site iframe right. Most of time, the markup allows it.
Key events are much harder to hijack, because if the iframe is invisible, then the text in it’s input fields are invisible too. The visitor will start to type, but won’t see any text and won’t continue the action.
Setting X-Frame-Options for all responses
To set the same X-Frame-Options value for all responses in your site, put'django.middleware.clickjacking.XFrameOptionsMiddleware' to MIDDLEWARE_CLASSES:
MIDDLEWARE_CLASSES = (
...
'django.middleware.clickjacking.XFrameOptionsMiddleware',
...
)
This middleware is enabled in the settings file generated by startproject.
By default, the middleware will set the X-Frame-Options header to SAMEORIGIN for every outgoing HttpResponse. If you want DENY instead, set the X_FRAME_OPTIONS setting:
X_FRAME_OPTIONS = 'DENY'
When using the middleware there may be some views where you do not want the X-Frame-Options header set. For those cases, you can use a view decorator that tells the middleware not to set the header:
from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_exempt
@xframe_options_exempt
def ok_to_load_in_a_frame(request):
return HttpResponse("This page is safe to load in a frame on any site.")
Setting X-Frame-Options per view
To set the X-Frame-Options header on a per view basis, Django provides these decorators:
from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_deny
from django.views.decorators.clickjacking import xframe_options_sameorigin
@xframe_options_deny
def view_one(request):
return HttpResponse("I won't display in any frame!")
@xframe_options_sameorigin
def view_two(request):
return HttpResponse("Display in a frame if it's from the same origin as me.")
Limitations
The X-Frame-Options header will only protect against clickjacking in a modern browser. Older browsers will quietly ignore the header and need other clickjacking prevention techniques.
Browsers that support X-Frame-Options
- Internet Explorer 8+
- Firefox 3.6.9+
- Opera 10.5+
- Safari 4+
- Chrome 4.1+
Summary
Clickjacking is easy to implement. As far as there is an action on your site that can be done with a single click - it may be clickjacked.
An attacker can ensure that the visitor is logged into your site by social engineering. Or on some sites it is possible to send a message to a user with the “Happy Link”. The user will browse his site mail and click on it, then be clickjacked.. Many variants are possible.
It is recommended that you use the
X-Frame-Options
at pages which are not meant to run into a frame.
The older frame busting method is less effective, but useful for older browsers, like IE7.
- http://www.owasp.org/index.php/Clickjacking
- http://www.liquidrhymes.com/2010/08/25/smoking-hot-bartender-is-some-smoking-hot-facebook-spam/
- http://w2spconf.com/2010/papers/p27.pdf
- http://blog.chromium.org/2010/05/security-in-depth-html5s-sandbox.html
- http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
Comments
Post a Comment