4 min read  | Clickjacking

What is clickjacking and what can you do to prevent it?

Recently, I’ve been spending more time at home trying to kick back and relax. I confess that I’m usually hardwired to get back home after work, clean up, get some food, and sit back down in front of my laptop and pick up where I left off at work. These days though, I come back and try to spend more downtime and catch up on a few TV shows I’ve neglected.

While I’m not going to divulge which shows I’ve been watching, finding shows that aren’t on Netflix is quite tedious! A few days ago, I opened up a site I watch shows on and was absolutely frustrated because of the millions of popups and advertisements I have to avoid clicking. 

On that particular day, I clicked the play button on the video but was taken to a payment authentication page, where my name was already filled out on the form. Given my line of work, I knew exactly what was happening but was stunned, nonetheless. 

As someone who works in the cybersecurity field, things like this are quite common. You just never expect them to happen to you. This whole ruse of clicking a seemingly harmless site element - like a social share button, for instance - and having it lead to more malicious outcomes is known as clickjacking. 

While there are many different types of clickjacking attacks, this is the gist of it.

Clickjacking is something quite common, nowadays. With cybercriminals becoming more knowledgeable and resourceful, these are now harder to detect than ever and can be especially problematic if you’re interacting with these elements while you’re working on an office device.

Given that clickjacking has the potential to chase customers, clients and leads away from your site, preventing your pages from being click-jacked is crucial. Here are some of the most common strategies to prevent clickjacking. 

UNROLLING EFFECTIVE FRAME-BUSTING AND FRAME-BREAKING

Clickjacking attacks rely heavily on framing website pages in order to be successful. This means that in order to enact suitable safeguards against this, you will need to work with your developers to ensure that framing can’t take place on your website. 

Nowadays, HTTP security headers are used for this purpose and you can use these to specify your framing policy. It’s also recommended that you hide the entire body of your HTML document(s) and display them only after verifying that your page is not framed.

LEVERAGING X-FRAME OPTIONS

X-Frame options are a kind of HTTPS security header that’s quite useful when it comes to preventing clickjacking. This kind of header guides your browser in terms of handling your website content and thereby prevents cybercriminals from rendering the content on your pages into a frame, which often includes <object>, <iframe> or <frame>. 

These might look like social media share buttons, video and audio players, advertisements, and other elements that you may be more likely to click. 

LOOKING INTO CSP HTTP HEADERS

Content Security Policy (CSP) is a cybersecurity tool that helps businesses detect and mitigate certain types of threats like data injection attacks and cross-site scripting, which come in the guise of malware installations, site defacement, and data theft.

CSP HTTP headers can control resources each person is allowed to load for that page, which prevents cross-site scripting. These also facilitate frame-ancestor directives for specifying sources that are allowed to embed themselves on a given page. While this involves a slightly more complex process, CSP HTTP headers can be a useful way of preventing clickjacking.

PREVENT CLICKJACKING AND IMPROVE THE SECURITY OF YOUR WEBSITES

Clickjacking has become a major concern for businesses in recent years as they grapple with the very scary prospect of cybercriminals wreaking havoc on their sites. While novel strategies and tools have been developed for this purpose, using these tools the right way is crucial to keeping your sites clean.

If you need support executing the right strategy to prevent clickjacking, speak to Triskele Lab’s team of specialists about our cybersecurity consulting services.