Monday, 23 December 2013

Clickjacking, also known as UI-Redress attack, misleads the victim by overlaying multiple frames and making some frames invisible. Thus the victim is displayed with one webpage but his/her action is actually on another webpage that is selected by the attackers. This attack takes advantage of the HTML property called iFrame. Since Robert Hansen and Jeremiah Grossman announced a talk on the topic at OWASP AppSec 2008 , there has been a flood of news, discussions, and demonstrations on clickjacking.
                   Since it is the victim who actually, but unknowingly, clicks on the element of the legitimate page, the action looks “safe” from the browser’s point of view; that is, the same origin policy is not violated. Clickjacking attacks have been reported to be usable in practice to trick users into initiating money transfers, clicking on banner ads that are part of an advertising click fraud, posting blog or forum messages, or, in general, to perform any action that can be triggered by a mouse click. Beside several proof-of-concept clickjacking examples that have been posted on security-related blogs, it is not clear to what extent clickjacking is used by attackers in practice.

TO view clickjacking visit Clickjacking demostration

So now i am not saying how to clickjacking a web site but I will say how you can protect yourself

1. Do not click on any suspicious link , popups and any link embedded  image or video
2. Do not entry any data in an unknown webpage
3, Always see the URL of web sites
4. Use browser addons (noscript ) or disable javascripts while entering data to a webpage.

Now how to protect our web site from Clickjacking

Frame-Busting: This technique checks if the webpage is the topmost window or embedded in a frame. If the webpage is embedded, it will bust out of the frame and makes itself as the topmost frame. This is achieved with the help of DOM property call top. The top property defines the topmost ancestor window.

<script type="text/javascript">
function breakout()
if (!=window.self)

The above javascript function defines a sample frame-busting function.

Comment please

    Ankush Mohanty: is a Security Researcher and Analyst, with experience in various aspects of Information Security. Other then this he is a Certified Ethical Hacker. His all efforts are to make internet more Secure. Registered & Protected Registered & Protected