Clickjacking

Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

The below demonstrates a simple Clickjacking PoC:

<pre lang="JavaScript" line="1">
<html>
<head>
<title>ClickJacking PoC</title>
</head>
ClickJacking PoC
<h2>Oops! The website is vulnerable to Clickjacking!</h2>
<iframe src="https://parzival.sh" height="450" width="1000"></iframe>
</body>
</html>
</pre>

Please note that for Clickjacking to be considered a vulnerability, you also have to demonstrate impact. Showing that you can trick a user into performing a mass administrative action or updating information such as their profile / billing information is a better PoC than simply embedding the home page in an iFrame.

References

Last updated