Security Click Jacking Introduction


// Security - Clickjacking:

Clickjacking is a way to trick the user into thinking he is clicking/typing on 
one object while he is actually interacting with another.  This can be done by 
loading the target domain in an iframe on the malicious website.  If the victim 
domain frame is loaded with an opacity of zero, the user is not aware of the 
presence of the iframe. 

The user then ends up performing an action on the victim domain without even 
realizing it.

The standard approach to solving this type of attack is to use frame-busting to 
prevent your website from loading in a frame.  

Clickjacking is a common web application vulnerability that hits its peak in the 
early 2000s.  This attack is used by malicious attacker to trick users into 
thinking that they are interacting with one object while they are actually 
interacting with another.

On a clickjacked page, the attacker displays some benign content to the user 
while it loads another page on top in a transparent layer.  On the clickjacked 
page, the users think they are clicking buttons corresponding to the bottom 
layer, while they are actually performing actions on the hidden page on top.

This is similar to other attacks in a way that the user does not have the 
knowledge of what he is actually doing.

The attacker included an iframe on this page that references the contents of 
the disloyal subjects.  However, as a user do not see this form because the 
attacker cleverly set the transparency of the iframe to 0, making it invisible.  
Next, the attacker modified the CSS properties of the iframe to position it 
directly on top of the button.  When the user clicks on the button, the user 
is actually interacting with the transparent iframe above it.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License