UI Redress/Clickjacking

Clickjacking, or the "UI redress attack", is an interface-based attack in which an attacker uses multiple transparent or opaque frames to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is able to "hijack" clicks by the user and route them to another page.

Attack Vector

For a UI redress attack to be successful, an attacker has to be able to incorporate an invisible, actionable web page (or multiple pages) containing a button or hidden link within an iframe. This can be done using CSS to create layers and make the iframe of the target website invisible when overlaid on the anticipated decoy web page content. An example using the style tag and parameters is as follows:

<head>
  <style>
    #target_website {
      position:relative;
      width:128px;
      height:128px;
      opacity:0.00001;
      z-index:2;
      }
    #decoy_website {
      position:absolute;
      width:300px;
      height:400px;
      z-index:1;
}
  </style>

</head>
...
<body>
  <div id="decoy_website">
  ...decoy web content here...
  </div>
  <iframe id="target_website" src="https://vulnerable-website.com">
  </iframe>
</body>

The target website iframe is positioned within the browser so that there is a precise overlap of the target action with the decoy website using appropriate width and height position values. Absolute and relative position are used to ensure that the target website accurately overlaps the decoy regardless of screen size, browser type and platform The opacity value is defined as 0.0 so that the iframe content is completely transparent to the user.

For the exploit to work, the user is required to perform an action such as a button click. Thus, it is important for the decoy web page content to influence the user to click on the page. An example of this would be a decoy web page that displays a button for the user to click in order to win a prize.

Impact

The Clickjacking technique allows an attacker to hijack clicks meant for one page and route them to another page. This can cause the user to download malicious data or be forcefully routed to another malicious page or application. Since any website can be displayed in an invisible iframe above the decoy web page, this can also lead to user information being stolen or maliciously tampered with.

Attack Examples

Example 1

  1. The attacker creates an attractive decoy web page that claims the user has won an iPhone.

  2. In the background the attacker checks if the user is logged into his banking site and if so, loads the screen that enables transfer of funds, using query parameters to insert the attacker's bank details into the form.

  3. The bank transfer page is displayed in an invisible iframe above the decoy web page, with the "Confirm Transfer" button exactly aligned over the "Claim Prize" button visible to the user.

  4. The user visits the page and clicks on the "Claim Prize" button.

  5. In reality, this means the user has clicked the "Confirm Transfer" button. Funds are transferred to the attacker.

  6. The user is redirected to a page with information about the gift, or another website or application chosen by the attacker without realizing that they have just transferred their bank funds to the attacker.

Historical Attacks

  • This vulnerability in the Adobe Systems Flash Player software where a playing a short game on a website led to users unknowingly granting attackers full access to their webcam and microphone

  • This vulnerability that caused users to post content on Facebook without action on their part

Defenses

Clickjacking attacks are possible whenever websites can be framed. Thus, preventative techniques are based on restricting the framing capability for websites. There are two main ways to do this:

  1. Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers that instruct the browser to not allow framing from other domains. (This replaces the older X-Frame-Options HTTP headers.)

  2. Employing defensive code in the UI to ensure that the current frame is the most top level window.

Criteria for Demonstration

The most common way in which content can be loaded and positioned within a web page is through CSS, however there are many other techniques. To demonstrate the attack, provide the HTML file where what the user sees and clicks on does not reflect what action their click actually performs.

Other resources

Portswigger

OWASP

Imperva

Wikipedia

chwatley