Blog Banner Image

How to Secure your Website from Clickjacking

The recent ransomware attack has raised discussions around “click-jacking.” Clickjacking, also known as UI redress attack, tricks users by engaging them in fraudulent purchases. Hackers steal confidential information such as credit card details and use them without the user’s knowledge. Such cyber-attacks are difficult to track because the victim is influenced to interact with a fictitious webpage created by the hacker.

What is it?

A clickjack is an embedded code/script, executed when a user clicks on the button that functions differently. For example, a user receives an email containing a video link of some news item. If he clicks on the link and goes to the page, he is not aware of the fact that a hidden page which might be a product page on Amazon.com is placed on top/below the ‘Play’ icon on the video. When the user plays the news video, they are actually purchasing the linked product. With a single click, the hacker is able to acquire complete information of the user from Amazon.com.  

Other common examples include:

  • Cheating users to enable webcam/microphone by using Flash player
  • Follow someone on Twitter and Facebook
  • Like/Share Facebook links
  • Generate PPC revenue by clicking ads through Google Adsense
  • Download and run malware giving access to remote hackers

How to Secure your Application?

You can follow the following steps to avoid cases of clickjacking:

#1: Download clickjacking-test.html

#2: The below screen will appear

ClickJacking Load

#3: Enter the URL of your application in ‘URL’ text field.

For example, https://www.hoganlovells.com/

Click on ‘Load’ and if the following output appears on your screen, your application is not secured from clickjacking.

Hogan

 

#4: However, if the below screen appears after entering your application’s URL, it means your application is secure.

Parent Frame

 

How to Handle Clickjacking Vulnerabilities in your Application?

You need to add the following script in the head section of your webpage in order to ensure that your application is secure from clickjacking.

 

<style id="antiClickjack">body{display:none !important;}</style>

<script type="text/javascript">

if (self === top) {

var antiClickjack = document.getElementById("antiClickjack");

antiClickjack.parentNode.removeChild(antiClickjack);

} else {

top.location = self.location;

}

</script>

What Else can you do to Protect your Application?

When securing your application consider these points:

  1. Check redirected webpages when you click on links. For example, if you want to purchase music from iTunes site. The URL will read as store.itunes.com. However, if the web page is clickjacked, the URL will be somewhat similar with a minute difference that is visible only when you scrutinize the URL.
     
  2. An extreme measure can be to use only text-based web browser because it allows only textual inputs. This will not be beneficial as text-based browsers hamper user experience.
     
  3. Adopt other server-side protection measures.