Clickjacking is the name of a web security vulnerability that MANY websites suffer from. It can also lead to quite serious consequences.
Because of this, it’s often rewarded highly in bug bounty programs. Just have a look at this Twitter vulnerability, for example at hackerone.
So what is clickjacking?
Clickjacking is a type of attack where a hacker ticks a user into clicking on something (a button or link) on another page when they were intending to click on the the current page.
If you want to know more about this in detail, you can read what OWASP writes about it.
Let’s go though an example of how this could work. For example, a hacker could lead a user to evilsite.com, where goodsite.com is added as a hidden iframe. If the user is logged in to GoodSite, the hacker could make the user perform (unwanted) actions on GoodSite without the user knowing about it. It could be any type of action, such as deleting an account.
You can easily test if a site is vulnerable to clickjacking. What you need to do is this:
- Log into a site (for example Facebook)
- Create a simple HTML page with an iframe where the source is the URL of the site
- Open the HTML page in your browser
- If the page shows an error, the site blocks clickjacking attacks. If you see a logged in view – the site is vulnerable to clickjacking.
Example HTML to test a site for clickjacking vulnerability
<html> <head> <title>Clickjacking test</title> </head> <body> <p>This site is vulnerable to clickjacking if no error is shown below</p> <iframe height="500" src="https://www.facebook.com/"> </body> </html>
If you try the above in a browser, you will see an error – meaning Facebook has protected itself from this type of attack. However, many other companies don’t.
If you want to earn some money, this is a very simple vulnerability to find which could earn you a bug bounty.
That’s all folks!
// Yours truly @ CoderCatch