What is clickjacking ?
The attack works like this: the attacker first creates an HTML page that included an iframe sourced to a legitimate site, but he doesn’t just display the top left 200x200 pixels. Instead, he positions and sizes the iframe and other page elements so that only the pixels of a specific control, such as a button, of the victim page are visible. The attacker then presents this partial iframe control in a completely different context from its original context in order to trick users into pressing it.
Clickhijacking.html
1. Make a HTML file using below code and save with an html extension Or execute attached html file named "Gowall_Clickjacking.html".
html
body
h1>Hello World
iframe src="http://www.google.com/" height="200px" width="200px" /
/body
/html
2. Execute saved html file by clicking on it.
3. Observe that Google.com website is loaded in iframe in web page.
google website is loaded in iframe in web page.
For More information of attack visit:
1)http://blogs.msdn.com/sdl/archive/2009/02/05/clickjacking-defense-in-ie8.aspx
2)http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
3)http://www.sectheory.com/clickjacking.htm
If page is displayed in the iFrame then site is vulnerable to clickjacking and if the target page load with as normal page in browser then it is not vulnerable.
--> We should also check all the pages of application whether they set the top.location javascript as shown below code or not. If not then those pages are vulnerable.
Prevention :
There are some techniques exit to prevent clickjacking for the website. For more information visit
1)http://usablelayout.com/articles/automatically-break-out-iframe
2)https://blogs.sans.org/appsecstreetfighter/2009/10/15/adoption-of-x-frame-options-header/
Some known site like gmail dosn't allow their page to be loaded in iFrame which prenvents from clickjacking attack: I have attached the gmail script named 'Gmail_Clickhijacking.html' execute it and oberve the behaviour.
