A clickjacking attack is like a phishing attack. In this attack you will show the fake web pages and fake click buttons when you fill in your information on those pages and click on the buttons they will redirect to another page and your information will be sent to the hacker. In other words, we can say that – Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages this is common types of attack that are mostly used on malicious websites to collect visitors information by using the fake form, fake click or button, etc.
Is clickjacking a serious vulnerability?
Clickjacking is not considered a serious vulnerability because the user can easily identify that but the condition is the user should have knowledge of identifying the fake web page and fake redirected website link or URL identification and also avoid visiting malicious websites and other unwanted websites.
How to Prevent Clickjacking Attack?
To avoid this type of attack you should not have tempting Ads like click here to win iPhone or You have won a prize click here to claim etc. A better approach to prevent clickjacking attacks is to ask the browser to block any attempt to load your website within an iframe. You can do it by sending the X-Frame-Options HTTP header.
How to Identify Clickjacking Attack / Vulnerability?
To identify the clickjacking you can use different tools, by using those tools you can identify clicked or redirected web addresses on websites, Burp Suite is the best tool to identify the different types of web vulnerability.
What is Burp Suite? Best Tool for Web Bug hunting?
Burp Suite is an integrated platform and graphical tool for performing security testing of web applications, it supports the entire testing process, from initial mapping and analysis of an application’s attack surface to finding and exploiting security vulnerabilities. To know more about this tool you can visit – https://portswigger.net/burp
Examples of Clickjacking attacks-
Likejacking/What is Likejacking?
It is an extremely prevalent form of UI redress attack that is likejacking: hijacking Facebook likes. Likejacking works similarly to the clickjacking attack. But it tricks Facebook users into “liking” things they never intended to. The attacker’s Facebook page is embedded in the invisible iframe. Hence, the user doesn’t realize they’re actually clicking the attacker’s invisible “Like” button.
Cursorjacking/ What is cursorjacking?
Cursor Jacking consists of changing the location of the cursor from where the victim perceives it to be. A typical cursor jacking attack replaces the actual cursor with a fake one, using an image, and offsetting it from the location of the real cursor. With clever positioning of elements, the attacker can trick the victim into clicking elements they never intended to click. When the victim clicks an intended element with the fake cursor, the real cursor, which is offset from the fake one, actually clicks a malicious element.
Cookiejacking/What is Cookiejacking?
The Cookiejacking is a UI redress attack that steals the victim’s cookies. Once the attacker obtains the cookies, they can read the information it contains and use it to impersonate the victim. This is typically achieved by tricking the victim into dragging and dropping an element on the page. But what they’re actually doing is selecting the contents of their cookies on the embedded invisible page and handing that over to the attacker, by using this method the attacker can easily steal the cookies.
Filejacking/ What is Filejacking?
In a filejacking attack, the attacker exploits web browsers’ ability to navigate through the computer’s file system. An example would be when you upload a photo to social media. A file browser window appears and you can navigate your file system. In a filejacking attack, clicking the ‘Browse Files’ button (that file could be anything to browse according to what you want to hack) establishes an active file server, potentially giving the attacker access to your entire file system.
