CAPEC-103: Clickjacking
An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system.
Last updated
Overview
While being logged in to some target system, the victim visits the adversary's malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Experiment
[Craft a clickjacking page] The adversary utilizes web page layering techniques to try to craft a malicious clickjacking page
- The adversary leveraged iframe overlay capabilities to craft a malicious clickjacking page
- The adversary leveraged Flash file overlay capabilities to craft a malicious clickjacking page
- The adversary leveraged Silverlight overlay capabilities to craft a malicious clickjacking page
- The adversary leveraged cross-frame scripting to craft a malicious clickjacking page
- Step 2Exploit
[Adversary lures victim to clickjacking page] Adversary utilizes some form of temptation, misdirection or coercion to lure the victim to loading and interacting with the clickjacking page in a way that increases the chances that the victim will click in the right areas.