Description:
Click jacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. this can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money or purchase products online. Clikc Jacking is similar to CSRF with just an extra involvement of the victim to click somewhere on the Click Jacked page (which is usually done very easily). It bypasses CSRF token protection & its impact could be critical depending on the component/function it can affect.
Click jacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
The server didn’t return an X-Frame-Options header which means that this website could be at risk of a click jacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid click jacking attacks, by ensuring that their content is not embedded
into other sites.
Steps to procedure:
Step 1: select the target and check target is http or https
Step 2: open clickjacker.io to check target is vulnerable for click jacking or not
Step 3: if its vulnerable then create a html page
Step 4: check weather click jacking is working or not.
Step5: if it works then the target is vulnerable for clickjacking
Poc:
Impact:
Such vulnerability when exploited in the wild by the attackers would:
Affect the users interaction on your platform. Such unintended behaviour is definitely not wanted by any user.
Such effect upon your users could significantly harm your overall reputation and customer loss.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of style sheets, I frames, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.
Mitigation:
These attacks could be circumvented by using “X-Frame-Options” Header
