Saturday 24 September 2011

Clickjacking | attack and protection

I was surfing around the internet when i saw the news saying that clickjacking attack is now targeting facebook users. yeah it's bad news for facebook user. Then it came in my mind that i didn't tell my readers about this attack. Now it is important to know about this attack because this is very advance attack and need some programming skill. I will try to explain it in simple but it is li'le bit complicated for a non programmer to understand but now too hard as as you are thinking now :)


Clickjacking is the short form of click hijacking. This vulnerability is used by an attacker to collect an infected user's clicks. The attacker can force the to do all sort of things from adjusting the user's computer settings to unwittingly sending the user to Web sites that might have malicious code. Now how attacker can adjust user's computer setting?? attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.
The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008. The exploit is also known as UI redressing.

Attack Example:
The user receives an email with a link to a video about a news item, but another valid page, say a product page on, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon.


NoScript: This is the best prvention aginst Clickjacking. It is a firefox addon and prevent users from clicking invisible click.
GuardedID: It is a commercial product which provides client-side clickjack protection for users of IE or Firefox without interfering with the operation of legitimate iFrames 
Comitari Web Protection Suite: Comitari provides client side protection against ClickJacking (aka UI Redressing) attacks. Installed as browser add-on


