Clickjacking

Objective:
Understand the concept of clickjacking, its potential impacts, and the measures necessary
to prevent such attacks in web applications.

Research and Report:

Click jacking is a malicious technique that tricks users into clicking on something
different from what they perceiveis, it is based on the functionality of web-designing in
which two or more web frames are overlapped over each other. Types of clickjacking
(Fortinet, n.d.) include complete transparent overlay, cropping, hidden overlay, click
event dropping, rapid content replacement, scrolling, repositioning and drag and drop.

1- Complete transparent overlay:

Perhaps the most common clickjacking strategy, this method overlays a legitimate
webpage over a malicious page. The legitimate page is loaded into an invisible
iframe, and the user has no idea that a malicious page is underneath.
2- Cropping:
Cropping, which is trickier to program, occurs when the cyberattacker overlays
only selected controls from the malicious page onto the legitimate page. The
attacker could replace hyperlinks on the legitimate page with redirects, replace the
text of buttons on the legitimate page with other language (thereby confusing the
victim), or change the content in a way that misleads the user.
3- Hidden overlay:
This could be many things, cursorjacking is an example. In this strategy, the
cyberattacker creates a tiny iframe, perhaps as small as a 1x1 pixel, that can be
positioned under the mouse cursor and undetectable to the victim. As such, any
click will go to the underlying malicious page.
4- Click event dropping:
 Click event dropping might be a more obvious attack to a user. In this strategy,
the attacker sets the CSS pointer-events property to none, which means clicking
will seem to do nothing on the page. But in reality, the clicks are working on the
malicious page underneath. Users should alert the webmaster when their
continued clicking on the website's buttons or links does not work.
5- Rapid content replacement:
For more sophisticated cyberattackers with significant know-how in user
experience and behavior, rapid content replacement can be an effective strategy.
In this scheme, overlays are covered up, removed for a fraction of a second to
register a click, and then immediately replaced. With this scenario, the user might
not notice that they are clicking on a possibly malicious button or link because the
object disappears so quickly. Apart from using insert overlays, there are other
ways attackers can trick users into clicking unexpectedly malicious content.

6- Scrolling:
In this scenario, the cyberattacker creates a legitimate dialog box or pop-up with a
button partially off the screen. The buttons go to the malicious webpage
underneath, but the box appears as a harmless prompt. The challenge for attackers
in using this strategy is that the victim may have an ad blocker or pop-up blocker
installed on their browser. The attacker will need to find a way to circumvent this.
(Bogus ad-blocker extensions are yet another type of cyberattack.)
7- Repositioning:
This is a type of rapid content replacement attack, in which the cyberattacker
quickly moves a trusted user interface (UI) element while the user is focused on
another portion of the webpage. The idea is to have the victim inadvertently click
the moved element instead of focusing on reading, scrolling, or clicking
something else on the page. Quick jumps or movements should be obvious to
most users, and when this occurs, the employee should notify the webmaster and
security team.
 8- Drag and drop:
This is a clickjacking strategy that requires the user to do more than just click.
The victim will need to fill out forms or perform another action. The web forms
might look like those of the legitimate page, but when users fill out the fields, the
data is captured by the cyberattacker via the malicious page underneath. The goal,
as with any cyberattack, is to obtain personal or sensitive information without the
victim's knowledge.
Due to the dynamic, innovative nature of the web, including new JavaScript frameworks,
cyberattacks similar to clickjacking will continue to proliferate. Victims will continue to
be tricked into performing unexpected actions on websites that seem identical to sites
they have used before. As such, clickjacking might be difficult to detect, but in large
organizations, as employees and customers interact with the company's web properties at
scale, odd click behavior should be reported and acted upon quickly to thwart a
cyberattack.

Defensive measures:

1- Preventing framing:
Content security policy (CSP) a policy that prevents framing or the republishing
of the site's content in an HTML container on another website. which can serve as
the first defense in the prevention of a clickjacking attack. The CSP essentially
permits only certain web resources, such as JavaScript and CSS, that the client
browser can apply.
Factors :
Simplicity: It’s easy to implement and has three directives:
DENY, SAMEORIGIN, and ALLOW-FROM.
Effectiveness: It prevents your site from being embedded in iframes by other
sites, effectively blocking clickjacking.
Legacy Support: It has wider support in older browsers.
 2- Moving the current frame to the top
Also known as an X-Frame-Options, this strategy relies on the response header or
code used to indicate whether a browser should be allowed to render a page in a
frame, as an embed, or as an object when webpages are pushed through the
browser. The header provides the webmaster with control over the use of iframes
or objects. With this extra code in the header of a webpage, the webmaster can
decide whether the inclusion of a webpage within a frame can be prohibited. X-
Frame was first developed for Internet Explorer 8, and it is not consistent across
all browsers.
Factors:
Flexibility: CSP offers more granular control. You can specify exactly which
origins are allowed to frame your content with the frame-ancestors directive.
Modern Browsers: It’s supported by most modern browsers and allows for a more
robust security policy beyond just clickjacking, including protection against other
types of attacks (e.g., XSS).
Complexity: It can be more complex to configure and manage compared to X-
Frame-Options.
In conclusion both measures help protect against clickjacking, but both have different
pros and cons. When used together, a CSP and X-Frame-Options can serve as a strong
defense against a clickjacking attack.

Practical Application :

Evaluating three websites using the CSP Evaluator

 1- Twitter
I checked the frame-src directive since it controls which sources can load frames,
its essential to ensure that its set to limit framing to only trusted sources.

This is the list of trusted sources that are allowed to load frames, as you can see they are
all trusted domains.

Recommendations:
The policies implemented are sufficient against clickjacking, what twitter can do to
improve is conducting a risk assessment to be aware that if any of these origins were to
be compromised, it could expose your site to clickjacking vulnerabilities. Regularly
review and update this list to ensure it only includes secure, necessary domains. they can
also add Add frame-ancestors Directive: Implement frame-ancestors to further restrict
who can frame your site: Content-Security-Policy: frame-ancestors 'self’; // or specify
other trusted origins

2- Instagram
 Here I also checked the frame-src directive which has less sources than twitter,
which hypothetically means it’s safer.

Recommendations:
What they can do is limit the use of data:, for the use of data: in your frame-src can
expose them to risks if not managed carefully. They should Consider whether they truly
need this and, if so, understand the security implications. They can also Regularly review
and update this list to ensure it only includes secure, necessary domains,furthermore
Instagram can implement a frame-ancestors Directive to further restrict who can frame
their site: Content-Security-Policy: frame-ancestors 'self'; // or specify other trusted
origins

3- Reddit
screenshot of the frame-src directive after evaluation is complete.
Recommendations:
adding on the recommendations I have given twitter and Instagram, reddit can review
necessity on these trusted sources and they should also continuously monitor the security
of their trusted domains.

Case Study: The Likejacking Attack on Facebook

1- Execution and Impact of the Attack:

One well-known instance of a clickjacking attack is the Facebook incident called
"Likejacking" that happened a few years back. During this assault, deceitful websites
deceived users into endorsing a Facebook page without their awareness. The hackers
managed to do this by placing an invisible iframe over a real Facebook "Like" button,
tricking users into thinking they were interacting with intended content, when in fact they
were unintentionally liking a potentially misleading or harmful page. The significance of
this attack had a notable effect. It not just undermined user interactions' authenticity on
Facebook, but also increased the spread of harmful content on the platform. Pages that
promote scams, phishing schemes, or inappropriate content were able to gain credibility
and visibility due to unintentional likes, which in turn resulted in a loss of user trust and
potential financial harm for those who unknowingly engaged with fraudulent websites.

2- Preventive measures:
1- Facebook missed an opportunity to apply the X-Frame-Options HTTP header with
values DENY or SAMEORIGIN to block content embedding on unauthorized sites.
Blocking the ability to overlay the Like button would have been effectively prevented.
2- Content Security Policy (CSP): An advanced step would be to establish a Content
Security Policy with a frame-ancestors directive, limiting the domains allowed to embed
Facebook content. This could offer a broader and more adaptable method for embedding
frames.
3- User Awareness and Education: Teaching users about the dangers of clicking on
questionable links and the methods of clickjacking attacks could have reduced the
consequences. Facebook should have offered clearer alerts or instructions to assist users
in recognizing and steering clear of possible pitfalls.
4- Improved Button Design: Altering the appearance of the Like button to prevent
attackers from superimposing it or implementing methods such as requesting
confirmation prior to liking a page could lower the likelihood of risk.

3- outcomes:
1- The significance of Frame Control: Websites must take an active role in managing
how their content is embedded. Utilizing X-Frame-Options or CSP can greatly decrease
the likelihood of clickjacking.
2- Continuous education on potential security threats is crucial for users. Users need to
understand how clickjacking operates and should be urged to report any questionable
behavior.
3- Proactive security measures entail companies consistently updating their security
policies and practices to protect against advancing threats.

Technical Application:

The purpose of the following script is to prevent clickjacking attacks by ensuring that the
page cannot be embedded within a malicious frame. If the page detects that it is being
framed, it will redirect the user to the top-level window, making it clear that they are not
interacting with the intended content. This helps protect users from being tricked into
clicking on hidden or deceptive elements.

<script>
// Function to prevent the webpage from being framed
function preventFraming() {
// Checking if the current window is not the topmost window
if (window.top !== window.self) {
// If the page is being framed, redirect to the same URL
window.top.location = window.self.location.href;
}
}
 // Call the function to check and prevent framing
window.onload = preventFraming;
</script>

<

Code explanation :

- Function Declaration (function preventFraming()):

o This declares a function named preventFraming that will contain the logic
to check if the webpage is being framed.
- Window Check (if (window.top !== window.self)):
o window.top refers to the topmost window in the hierarchy (the main
browser window).
o window.self refers to the current window.
o The condition checks if the current window is not the topmost window. If
this condition is true, it means the page is being displayed within an
iframe or frame.
- Redirecting (window.top.location = window.self.location.href):
o If the page is being framed, this line redirects the topmost window to the
URL of the current page. Essentially, it breaks out of the frame by loading
the page in the main window instead.
- Event Binding (window.onload = preventFraming):
o This line assigns the preventFraming function to the onload event of the
window. This means the function will run automatically when the
webpage has finished loading.

Refrences:
Fortinet. (n.d.). Clickjacking. Fortinet. https://www.fortinet.co
m/resources/cyberglossary/clickjacking