|Name ||Clickjacking |
|Summary ||In a clickjacking attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system. While being logged in to some target system, the victim visits the attackers' malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the attacker wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the attacker may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks he's clicking on versus what he or she is actually clicking on. |
|Prerequisites ||The victim is communicating with the target application via a web based UI and not a thick client
The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser)
The victim has an active session with the target system.
The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system |
|Solutions ||If using the Firefox browser, use the NoScript plug-in that will help forbid iFrames.
When maintaining an authenticated session with a privileged target system, do not use the same browser to navigate to unfamiliar sites to perform other activities. Finish working with the target system and logout first before proceeding to other tasks. |
|CWE ID ||Description |
|CWE-693 ||Protection Mechanism Failure |