How does Clickjacking spread, in layman terms?

和自甴很熟 提交于 2019-12-08 05:00:30

Clickjacking does not spread.

It is literally as it is stated - jacking clicks - nothing more. However, the consequences of those clicks could be severe.

Imagine you visit a site, evil.example.org. In another tab you are also logged into your bank, bank.example.com.

evil.example.org also loads bank.example.com in an IFrame. However, it uses CSS to make this IFrame invisible. And it does not load the home page, it loads the money transfer page, passing some parameters:

<iframe src="https://bank.example.com/loggedIn/transferMoney?toAccount=Bob&amount=100000"></iframe>

Now, this page does not transfer the money immediately. It asks the user to click to confirm the transfer to Bob.

However, evil.example.org draws a button right underneath the Confirm Transfer button saying Free iPad click here.

Because the IFrame is invisible, the user just sees Free iPad click here. But when they click, the browser registers the click against Confirm Transfer.

Because you are logged into the bank site in another tab, Bob has just nicked your money.

Note that the X-Frame-Options header fixes this vulnerability on your site, assuming it is set to SAMEORIGIN or DENY. You are vulnerable until you add the header. There's a new directive in CSP called frame ancestors - however, only the latest browsers support it, so you're best off adding both headers at the moment. This will give you protection on Internet Explorer 8 and later, plus Chrome, Firefox, Opera and Safari.

Preventing framing can also help thwart over attacks such as Cross Site History Manipulation.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!