Clickjacking

Clickjacking, also known as a "UI redress attack", is a malicious technique that tricks a user into clicking on a button or link on a web page while giving the impression that they are clicking on something else. This is done by using transparent overlays or placing the button or link on another web page that is loaded in a hidden frame. The attacker can then use the user's click to perform actions on their behalf, such as making a purchase or posting a comment. Clickjacking can also be used to steal sensitive information such as login credentials. The attacker can also use the clickjacking technique to spread malware or redirect the user to a phishing website. To prevent clickjacking, website developers can use frame-busting techniques that prevent their website from loading in a frame, or they can use the HTTP header X-Frame-Options, which allows them to restrict which websites are allowed to load their content in a frame. In addition, users can install browser extensions that block frames and overlays, or they can disable JavaScript in their browser.

Identify clickjacking

There are several ways to detect clickjacking on a website:

  • Look for transparency: Look for transparent overlays on the website that can hide buttons or links. These overlays are used to trick the user into clicking on something they are not aware of.
  • Check the source code: Check the source code of the website to see if it contains hidden frames. These frames can be used to load another web page on top of the visible one to trick the user into clicking on something.
  • Check for unexpected actions: Watch out for unexpected actions that occur after clicking a button or link, such as being redirected to another website or having something automatically posted on your behalf.
  • Use browser extensions: Use browser extensions that are specifically designed to detect and block clickjacking attempts. These are available for most browsers such as Chrome and Firefox.
  • Watch for suspicious behaviour: Watch out for suspicious or unexpected behaviour when browsing a website. It is always best to be cautious and not click on something you are unsure about.

It is important to know that some clickjacking attempts are difficult to detect. Therefore, it is always a good idea to keep up to date with the latest security threats and to be cautious when clicking on links or buttons on unknown websites.

Prevent clickjacking

There are several ways to avoid clickjacking:

  • Use the HTTP header X-Frame-Options: With this header you can restrict which websites are allowed to load your content in a frame. By setting the X-Frame-Options header to "SAMEORIGIN", you can ensure that your website can only be loaded in one frame on the same domain.
  • Use frame busting techniques: These are scripts that you can use to prevent your website from loading in a frame. When a website is loaded in a frame, the script redirects the user to the actual website and not to the framed version.
  • Disable JavaScript: Disabling JavaScript in your browser can prevent some clickjacking attacks, as many of these attacks rely on JavaScript to create transparent overlays or hidden frames.
  • Use browser extensions: Use browser extensions that are specifically designed to detect and block clickjacking attempts. These are available for most browsers such as Chrome and Firefox.
  • Be alert: Be alert if you notice suspicious or unexpected behaviour while browsing a website. It is always best to be cautious and not click on anything you are unsure about.
  • Keep your software up to date: Keep all your software, including your browser and operating system, up to date to protect against known security vulnerabilities.

Clickjacking Plugins for WordPress

  • X-Frame-Options" is a simple plugin that allows you to add the X-Frame Option header to your website. This plugin is easy to use and can be configured to set the header to "SAMEORIGIN" or "DENY".
  • HTTP header"is another plugin that allows you to add the X-Frame Option header and other headers to your website. You can also set the header to "SAMEORIGIN" or "DENY".
  • All In One WP Security and Firewall" is a comprehensive security plugin that allows you to add the X-Frame Option Header and many other security features.
  • iThemes Security" is another comprehensive security plugin that allows you to add the X-Frame option header and many other security features

Attention: some caching plugins and CDN services can overwrite the header. You should therefore check the settings of these services to ensure that the header is not overwritten.

Using a plugin is not the only way to add the X-Frame option header. It can also be added via .htaccess or the server configuration.

Example of an .htaccess for WordPress

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]


# Add X-Frame-Options header

    Header set X-Frame-Options "SAMEORIGIN"


# END WordPress

This .htaccess file contains the standard WordPress rewrite rules necessary to make permalinks work correctly. It also contains the code to set the X-Frame option header to "SAMEORIGIN" using the Apache module mod_headers, which prevents the website from loading in a frame on other domains.

If you already have an .htaccess file, you should append the X-Frame Options code to the existing file rather than replacing the entire file. It is also important to make a backup copy of your original .htaccess file in case any problems occur.

You should also remember that some caching plugins and CDN services can overwrite the header. Therefore, you should check the settings of these services to make sure that the header is not overwritten.

Clickjacker.io

The website https://clickjacker.io is a website designed to demonstrate the clickjacking attack technique to website developers and security professionals. The website allows users to experience a clickjacking attack in a controlled environment so they can learn how to detect and prevent this type of attack on their own websites. The website shows different types of clickjacking scenarios, such as transparent overlays and hidden frames, and provides information on how clickjacking can be prevented, e.g. through frame-busting techniques, the HTTP header X-Frame-Options and browser extensions.
https://clickjacker.io is a safe website and is used for educational and learning purposes. Not all websites that demonstrate clickjacking are safe.

PR Agency PRO

Theodor-Storm-Str. 8
76764 Rheinzabern

ks@pr-agentur.pro
Mobile: +49 176 40 7 838 90
Landline: +49 7272 9029240

Online marketing agency for the Mannheim, Ludwigshafen, Karlsruhe, Speyer, Landau area

en_GB
de_DE en_GB