CLICKJACKING

VULNERABILITY
REPORT

MALAV UMESHKUMAR PATEL (S5672581)

UNIVERSITY OF GENOA, ITALY
MASTER’S IN ENGINEERING TECHNOLOGY FOR STRATEGY AND SECURITY
STRATEGIES IN TELECOMMUNICATION (CYBER SECURITY PART)

PROFESSOR:
Enrico Cambiaso
Consiglio Nazionale delle Ricerche (CNR)
A Corso Perrone, 24 - 16152 Genoa (Italy)
T +39 010 6475 226 F +39 010 6475 200
E enrico.cambiaso@cnr.it
 INDEX

I. How does clickjacking work? ...……………………………...2

II. Illustrating a Clickjacking attack ………….………...………3

III. Effective Strategies to Counter Clickjacking Attacks ......….4

IV. Enhancing Security: Safeguarding Against Clickjacking

Using X-Frame Options …………….…………………….….5

V. Safeguarding Against Clickjacking with the SAMEORIGIN

Option …………………………………………………...….....6

VI. X-Frame-Options: Limitations and Considerations ……..…7

VII. Assessing Clickjacking Vulnerabilities: Test the Security of

Your Site ………………………………………………............8

VIII. Assessing the HTML Page in a Browser: Evaluation

Steps....……………………………………………………..…10

IX. Conclusion……………………………………………………11

1
 I. How does clickjacking work?
An element of a webpage that is hidden or misrepresented as another element is tricked into
being clicked by a user through a clickjacking attack. As a result, consumers run the risk of
unwittingly downloading malware, visiting nefarious websites, disclosing private data or login
credentials, sending money, or making purchases online.

The most popular technique for clickjacking is to display an invisible page or HTML element
inside of an iframe on top of the page the user sees. When the user thinks they are clicking the
visible page, they are clicking an unseen element on the additional page that is transposed on
top of the visible page.

The invisible page could be either a legitimate page that the user didn't intend to see or a
malicious one. A page on the user's banking website that enables a money transfer would serve
as an illustration.

There are several types of clickjacking attacks, such as:

• Likejacking is a method of manipulating the Facebook "Like" button to trick users into
"liking" a page they really didn't want to.

• Cursorjacking is a UI redressing technique that moves the cursor away from the
position the user perceives. Cursorjacking makes use of flaws in Firefox and Flash that
have since been addressed.

2
 II. Illustrating a Clickjacking attack
1) The attacker makes a visually appealing page that offers the user a free trip to Tahiti.

2) The attacker loads the page that permits the transfer of funds by utilizing query
parameters to enter the attacker's bank information into the form if the user is signed
into his banking website in the background and, if so.

3) On the bank transfer page, the user might encounter the “Confirm Transfer” button
cleverly positioned directly on top of the “Receive Gift” button, both of which are
displayed in an invisible iframe above the gift page.

4) After arriving at the page, the user selects the "Book My Free Trip" button.

5) The "Confirm Transfer" button was pressed by the user, who is hovering their mouse
on the invisible iframe. Money is moved from to the attacker.

This example illustrates the mechanics of a clickjacking attack by demonstrating how the user,
while being logged into their personal account, inadvertently engages in malicious activity on
the bank website.

3
 III. Effective Strategies to Counter Clickjacking Attacks

Two Common Approaches to Counter Clickjacking Attacks:

• Client-side techniques: Frame busting, although widely used, have limitations and
considered suboptimal as they can be easily circumvented in certain cases.

• Server-side techniques, of which X-Frame-Options is the most popular. Security

professionals advise using server-side techniques as a viable countermeasure to
clickjacking.

4
 IV. Enhancing Security: Safeguarding Against Clickjacking
Using X-Frame Options
When a web page needs to allow rendering within a FRAME> or IFRAME tag, the X-Frame-
Options response header is utilized to indicate the browser’s permission. This header is
included as part of the HTTP response of the web page.

The X-Frame-Options header can take one of three values:

• DENY - prohibits the display of this page within a frame on any site.

• SAMEORIGIN – restricts framing to the current domain, enabling the current page to be
presented within a frame on another website, but only within the same domain.

• ALLOW-FROM URI - only works with certain URIs, such as www.example.com/frame-

page, and permits the current page to be shown in a frame.

5
 V. Safeguarding Against Clickjacking with the SAMEORIGIN
Option
By implementing X-Frame-Options, online content publishers can prevent unauthorized usage
of their content within invisible frames, effectively thwarting intruders.

The most robust option is DENY. Which prohibits the usage of the current page within a frame,
ensuring maximum security. SAMEORIGIN is used more frequently since it permits the use
of frames but restricts them to the current domain.

6
 VI. X-Frame-Options: Limitations and Considerations
• The X-Frame-Options header must be included in the HTTP response for each unique page
in order to enable the SAMEORIGIN option throughout an entire website (cannot be used
cross-site).

• Because X-Frame-Options does not offer a whitelist of permitted domains, however, it proves
ineffective for multi-domain sites that necessitate the presentation of framed content across
different domains.

• Since only one option may be used per page, it is not possible to show the same page in a
frame on both the current website and an external website.

• Please note that not all browsers provide support for the ALLOW-FROM setting.

• In most browsers, X-Frame-Options is a deprecated feature.

7
VII. Assessing Clickjacking Vulnerabilities: Test the Security of
Your Site
To determine if your website is vulnerable to clickjacking, you can conduct a straightforward
test by creating an HTML page and attempting to embed a sensitive page from your website
within an iframe. It is important to execute the test code on a separate web server, as this mimics
the behaviour of a typical clickjacking attack.

On the login page of this Italian website, https://www.gamestop.it, I discovered and

successfully exploited a clickjacking vulnerability. The following code was utilized.

POC:

<html>

<head>

<title>Clickjack test page</title>

</head>

<body>

<p>Website is vulnerable to clickjacking!</p>

<iframe src="https://www.gamestop.it/Account/Login" width="500" height="500"></iframe>

</body>

</html>

8
9
VIII. Assessing the HTML Page in a Browser: Evaluation Steps

• The page is clickjackable if the text "Website is vulnerable to clickjacking" appears and
the content of your sensitive page is displayed beneath it.

• If only the text "Website is vulnerable to clickjacking" displays and you are unable to
view the sensitive page's content, the website is not susceptible to clickjacking in its most
basic form.

Nevertheless, further research is necessary to identify the specific anti-clickjacking techniques

implemented on the page and assess their effectiveness against potential circumvention by
attackers.

10
 IX. Conclusion

By tricking users into interacting with hidden or masked elements on webpages, clickjacking
is a sneaky attack that can have unintended results like malware downloads, visits to malicious
websites, disclosure of sensitive information, unauthorized money transfers, or unintended
online purchases. An invisible page or HTML element that masquerades as a valid webpage is
often overlaid on top of the user's visible content to carry out the attack. There are other types
of clickjacking assaults, such as likejacking and cursor jacking.

Client-side and server-side defensive strategies are the two main types of defenses that are
frequently used to reduce clickjacking. Client-side techniques, such as Frame Busting, are not
regarded as best practices because they are simple to get around. Security experts, on the other
hand, advise using server-side techniques like X-Frame-Options to successfully defend against
clickjacking attacks.

A popular server-side technique for indicating whether a browser should be permitted to

display a webpage within a frame or iframe is the X-Frame-Options response header. DENY,
SAMEORIGIN, and ALLOW-FROM URI are the three choices available. While the
SAMEORIGIN option only enables framing within the current domain, the DENY option fully
forbids it. Only a specific URI can be used with the ALLOW-FROM URI option to allow
framing. Although X-Frame-Options is a useful defense mechanism, it has certain drawbacks,
including the need to apply the header to every page individually, the inability to whitelist
numerous domains, the inability to use multiple options on a single page, and the restricted
compatibility of browsers.

It is critical for website owners to test their sites' susceptibility to clickjacking. Making an
HTML page and attempting to embed a vulnerable internet page in an iframe is a
straightforward test. The website is susceptible to clickjacking if the sensitive material is visible
within the iframe. The efficiency of clickjacking prevention methods and their vulnerability to
attack bypass require further analysis.

Overall, clickjacking is still a serious issue, but organizations may reduce the risk of attacks
and safeguard sensitive user data by being aware of the threat, implementing server-side
defenses correctly, and conducting regular vulnerability tests.

11