Clickjacking is one of most used attack on
Facebook. Scammers use this attack to increase like of a Facebook page
and spread some malicious links on Facebook user’s profile. Most of the
strange looking auto spreading scams on Facebook are Clickjacking
attacks.
Clickjacking name is taken from click Hijacking. In this attack, hacker
hijacks users’ click to perform some actions on the webpage. This attack
is also known as User Interface redress attack, UI redress attack or UI
redressing. In this attack, hacker tricks innocent users to click on
something which is not the same thing user is clicking. It means user
tries to click on some link button for some specific task while the
button or link performs something else.
How this attack works?
As the name suggest, hacker hijacks the
click of the user. But this sounds complicated. In this attack, hacker
use modified frames in the way that only a specific part of the webpage
is visible on the page.
For
example, imagine a hacker created a web site that has a button on it
which says "click here for get free gifts". But, on the top of web page,
hacker has embedded an iframe with a button for subscription directly
on top of the "free Gifts" button. Victim visitor will try to click on
free gifts button but instead actually clicked on the invisible
Subscription button.
This attack is performed with the help of 2
iFrame. First of all we will add the target button to the top left of
the webpage in an iframe. First IFrame is used to hide all other
elements of the webpage which originally contains the button. Hacker
hide border and scroll. This will make hard to identify the frame on the
web page.
<iframe id="inner"
src="http://hackingtricks.in" frameborder="none" scrolling="no"
width="1000" height="3000"></iframe>
#inner { position: absolute; left: -600px; top: -600px ;}
Change the position and iframe size according to the button you are adding.
Now
add this web page on target web page inside an IFrame at the position
where we want to add the button. Second IFrame is used to add this
button on the target web page where we want it to be clickjacked. Do not
use border and scroll in this frame too. Now add some texts and images
around this framed button so that it appears the part of the page. Also
put some false message to get users click on the button.
LikeJacking: Likejacking is not
the different attack. It is the Clickjacking attack which is used to
increase the like of a Facebook page or a Facebook post. Facebook got
the solution to prevent this attack in the Facebook’s hacking event
Hackathon. Although, Facebook has implemented many security levels to
prevent this attack, but hackers always gets some way to perform this on
facebook.
Protection against this attack: This is a harmful attack and can be prevented by server side and client side both.
Server Side Protection: Most
successful server side protection against this attack is "Defending with
Frame Breaking Scripts." In this web developer add a script on the web
page which prevents the web page to be framed. This is the code which is
used to prevent the page to be framed.
<script type="text/javascript">// <![CDATA[
if (self == top) {
var theBody = document.getElementsByTagName('body')[0];
theBody.style.display = "block";
} else {
top.location = self.location;
}
// ]]></script>
But there are few methods which can break the protection.
Client Side Protections: There are some add-ons and tools available which are used to protect browsers against this attack.
NoScript: No doubt, NoScript is the
most useful Firefox add-on which protects users from many types of web
attacks. This add-on also prevents users from clicking on invisible or
“redressed” page elements of embedded documents or applets. This is the
best security tool against this attack.
Ghostery: This is also a nice
browser extension which is also used to protect users against this
attack. This privacy browser enables users to detect and control tags,
web bugs, pixels, and beacons on the webpage which can collect data from
their web browsers.
As we know that there is no permanent
solution exists to prevent this attack from the server side, we should
try to add protections to our web browsing. So I will suggest all users
to use client side solutions. If you use Mozilla Firefox, then you must
have NoScript Add-on in your web browser. This will protect you against
many types of web attacks.
Author Bio:
Deepanker verma is a security researcher and a computer programmer. You can follow his articles on
http://hackingtricks.in and
http://www.tricksndtricks.in
