Button is a very common and familiar factor in our lives. It could be a fan switch, a button on a remote control, or a button to activate a nuclear missile in a suitcase of the US president. It can be said that a lot of our work is shortened, easier thanks to those buttons. There are also buttons on websites. Be it the like button on facebook, the download button on a download page, or a lot of other buttons. However, in cyberspace, hackers are everywhere to look, so watch out for the buttons, maybe it’s a big trick for you.
I. Clickjacking and iframes
First of all, talk a little bit about the
<iframe> tag in html. This is a fairly common tag that allows one web page to be embedded into another. It can be said that this is the main contributor, enabling hackers to create a trick with the buttons that they are talking about. That trick is called ClickJacking (UI Redressing) .
So what is Clickjacking actually? Clickjacking is a user-based attack technique to trick the victim into clicking a button, thereby performing an act the victim does not want to perform. This technique often uses the
<iframe> tag to embed a web page (let’s call it web A for short) with a function implemented by a button (like, delete, follow, download …) on the page of hacker. He will then adjust the opacity of the embedded page to near zero so that the user cannot see and create another button just where the web A button is on his page. So users on the hacker web will see a normal button without knowing that when clicking will perform the behavior they do not want in web A.
To give an example to make it easy to understand: I have a bank website like this:
No one would normally press that button, right? But what if a hacker uses clickjacking?
This site will override web banking (opacity ~ 0.01) and users will only see Normal web only. I think the number of people will click on that
goto cat gallery button. But what if behind that cute
nút send 1000$ was
nút send 1000$ was embedded and dimmed with 0.01 opacity? The victim will think that he clicked on the
goto cat gallery but actually clicked on
nút send 1000$ .
That’s it, naturally, $ 1,000 will be deposited into the hacker account without the user knowing.
II. Clickjacking in practice
In fact, clickjacking is a fairly common technique, even for large websites. I will give a few examples:
1. Google YOLO (You only login once)
Google YOLO is a Google service that allows users to log in with google account on the website with just 1 click. However, this feature is quite easy to exploit clickjacking. Thereby hackers can get information such as name, avatar and email of the user. Immediately after being reported, google controlled the frame via a google-controlled whitelist to prevent this type of attack.
2. Tweeter follow button
Twitter is a popular social network. And there are many followers that will be very useful for many purposes such as being famous, buying and selling, creating relationships and so on. Previously, there was a trick to make follow from twitter very simple, just tap clickjacking on the follow button of the page. So just how to trick more people to click, the more I follow. (This error has been corrected by twitter after the report so now you know it is late )
III. Prevent clickjacking
Iframe tag causes clickjacking to be used, then ban iframe tag is done. Unfortunately, many services, especially ads that use iframes, make it difficult to ban the use of this tag. So one has to find other solutions to handle clickjacking.
1. Frame busting
Common conditions used in this technique:
According to a statistic from a research I found, frame busting is quite common. However, it has the limitations of not being able to detect all cases, can bypass, check at the client site … The techniques that can be used to bypass frame busting checks include:
- Double framing
- onBeforeUnload event
- onBeforeUnload – 204 Flushing
<object> tag. This is a fairly effective solution to prevent clickjacking.
There are 2 options for this header:
with deny is preventing the browser from rendering the page while the sameorigin will allow pages in the same origin render. However, the sameorigin option only checks the top windows so if the site has a frame page enabled feature it could be exploited when a hacker frames his page into the site.
3. Samesite cookie
In order to perform clickjacking, the victim needs to be authenticated first at the embedded page. However, the request sent from the iframe is a cross-origin request, so it will be rejected if there is a samesite cookie and a clickjacking attack will not be performed. However, attacks can still occur with pages that use Single Page Applications (SPAs) where session ID / access tokens are stored at
People say: “A hundred hearing is not equal to a seeing” but not everything that is seen before the eyes is also its true nature. What we see may be what others want us to see, so be careful before you believe your eyes. Do not be easy with any buttons if you do not want to be a victim of click jacking one day.