Clickjacking, a simple and effective attack
This has long been used to trick users into completing actions or divulging information
What is Clickjacking?
Clickjacking takes many forms but the goal is to get the user to do something, or divulge some information, that they did not intend to. The attack itself is very simple and easy for an attacker to carry out, requiring little to no resources.
A common form of Clickjacking is Nested Clickjacking, where an attacker will frame a target site in a nested browsing context on their own site. They can then overlay their own forms, buttons or controls over the top of the framed site, deceiving the user.
To the user it appears that they are on the legitimate site and may inadvertantly disclose information like passwords when typing into a form field they think is on the legitimate site but is actually in a transparent overlay on the attacker controlled site.
Problems with Clickjacking
Whilst a simple attack to carry out, mitigating Clickjacking is also relatively simple. That said, without protections in place, a user could easily be exposed to an attack.
Historically we used to depend on the X-Frame-Options header as a Clickjacking defence but now we have something much more flexible and reliable.
Content Security Policy
Within the CSP specification we have the frame-ancestors directive which allows us to control which sites, if any, are allowed to place our site inside an iframe.
By defining a simple list of sites that are allowed to frame us, or specifying 'none' if we don't want anyone to frame us, we have an effective protection against Clickjacking.
If you do specify 'none' and wish to block all framing you should also specify the older XFO header as an additional, and backwards compatible, protection.
We can tailor a package to your exact requirements with custom usage, billing and SLA. You need an enterprise account if you're looking for any of the following features, just get in touch!
- Managed/Dedicated Instance
- Geographic Hosting/Processing
- Custom or Unlimited Usage
Award Winning Service
SC Awards Europe Judges
Best Emerging Technology 2018
"This is a completely new source of information that sites can use to better protect themselves and their visitors"