This type of attack requires an attacker to use javascript. Attacker insists a user perform an undesired action by clicking on a concealed link. The attacker loads another page on it in a transparent layer.
OR
The attacker hijacks the click event of their page and routing them to another page.
<HTML>
<head>
<title>click</title>
</head>
<body>
<p>website vulnerable clickjacking</p>
<iframe src=”url” width=”500” height=”500”></iframe>
</body>
</HTML>
Defend:-
Use clear click functionality in No script. You can use the relaxed setting but make sure you can enable the clear click. This prevents the clickjacking attacks.
Server-side: Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers
The two most popular are X-Frame-Options: Deny and X-Frame-Options: SameOrigin.
Client-side: Most commonly use frame busting code typically consists of a "conditional statement" and a "counter-action" statement. The aim of this technique is to prevent a site from functioning when it is loaded inside a frame.
תגובות