Clickjacking
Photo credit 3294310361cherry scented

What is clickjacking

In simple words Clickjacking means users are tricked into clicking or keystroking on a different site/page making them think they are on their usual site.

How can that be a problem from security point of view. Here is an example

An example of Clickjacking

Lets assume you own a website my_domain.com and you login to it everyday. If this site is not protected from clickjacking a hacker may be able to call this site in an iframe on some page hosted on his domain some_domain_owned_by_hacker.com

Now the hacker also adds some javascript to this page which records users keystrokes.

Through some means the hacker may trick you in clicking and opening this page. If you do not notice the domain name in the URL then you may feel that it is your own website and may even log in.

Due to the keystroke recording script the hacker is then able to get your password.

However you may feel that you always check the domain name before performing any transaction on a website and more so if it is your own website. So would this still be a problem?

Remember that the hacker can even trick other administrators on your site and they may not be as careful as you are and it follows the same about your website users.

Further to this

Let’s assume you are already logged in to your website and the hacker tricks you in clicking some button on his page. Through the above mentioned iframe and button overlapping the hacker may perform a malicious administrative task on your website on your behalf by just tricking you to click on a link.

Solution to prevent clickjacking using X-Frame-Options

Solution to this is very simple. Simple add below code in your .htaccess file

The above code checks if the page called within iframe is from the same origin. If not it does not display the page

 

For more information read Clickjacking – OWASP

 

Leave a Reply

Your email address will not be published. Required fields are marked *