Clickjacking, a simple and effective attack


This has long been used to trick users into completing actions or divulging information

What is Clickjacking?

Clickjacking takes many forms but the goal is to get the user to do something, or divulge some information, that they did not intend to. The attack itself is very simple and easy for an attacker to carry out, requiring little to no resources.

A common form of Clickjacking is Nested Clickjacking, where an attacker will frame a target site in a nested browsing context on their own site. They can then overlay their own forms, buttons or controls over the top of the framed site, deceiving the user.

To the user it appears that they are on the legitimate site and may inadvertantly disclose information like passwords when typing into a form field they think is on the legitimate site but is actually in a transparent overlay on the attacker controlled site.

Relevant Products
Content Security Policy



Clickjacking in the browser

Problems with Clickjacking

Whilst a simple attack to carry out, mitigating Clickjacking is also relatively simple. That said, without protections in place, a user could easily be exposed to an attack.

Historically we used to depend on the X-Frame-Options header as a Clickjacking defence but now we have something much more flexible and reliable.



XFO deny header

Content Security Policy

Within the CSP specification we have the frame-ancestors directive which allows us to control which sites, if any, are allowed to place our site inside an iframe.

By defining a simple list of sites that are allowed to frame us, or specifying 'none' if we don't want anyone to frame us, we have an effective protection against Clickjacking.

If you do specify 'none' and wish to block all framing you should also specify the older XFO header as an additional, and backwards compatible, protection.



CSP with frame-ancestors none

Some facts about us

21k+ Sites Monitored
170b+ Reports Processed
10+ Alexa Top 1,000

Simple Pricing

Select your usage

$0.00

Per Month*

  • 10 000 reports per month
  • 3 sites monitored
  • 90 day retention
  • Team Access
  • Email Support

Enterprise Accounts

We can tailor a package to your exact requirements with custom usage, billing and SLA. You need an enterprise account if you're looking for any of the following features, just get in touch!
enterprise@report-uri.com

  • Invoicing
  • Managed/Dedicated Instance
  • Geographic Hosting/Processing
  • Custom or Unlimited Usage
  • Support SLA
  • Custom Terms

We're Trusted By

Award Winning Service