Clickjacking or, more formally, user interface redressing, is a class of security vulnerabilities similar to phishing scams. The technique uses web standards to trick unsuspecting victims into performing actions they were not intending to.
Clickjacking does not rely on bugs in any software. Instead, the technique is simply an abuse of the growing graphical capabilities that advanced web standards like CSS provide to web browsers. A good introduction to clickjacking is provided by Steve Gibson and Leo Laporte on their Security Now! podcast.
As far as I’m aware, only Firefox when combined with the NoScript add-on and Internet Explorer when combined with the GuardedID product provide any measure of protection against clickjacking attacks. To date no other browser can detect, alert, or otherwise help you to avoid or mitigate the risks of clickjacking attacks.
That said, there’s gotta be something users of other browsers can do. Well, it may not be as much as what NoScript can do, but there is something: use a user style sheet to help expose common clickjacking attack attempts.
clickjane.css helps detect clickjacking attacks for all browsers
Until browser manufacturers provide built-in protections against clickjacking attacks in their software (which is arguably the best place for such logic in the first place), I’ve started putting together a user style sheet I’m calling
clickjane.css that attempts to instantly reveal common clickjacking attempts. Since it’s a CSS user style sheet, this approach should be cross-browser compatible so that users of any browser including Safari, Opera, and other browsers that don’t have other means of protecting against clickjacking attacks can use it.
I’ve only recently learned about this class of exploits and so I’m not supremely well-informed on the topic. As a result, the
clickjane.css file is relatively sparse and currently only reveals what I’m sure is a small set of clickjacking attmpts. However, as I research the topic further and learn more about the actual underlying HTML and CSS that clickjacking uses, I’ll be updating the
clickjane.css code to reveal those attempts as well.
Naturally, contributions and assistance in any form are most welcome! Learn more about
clickjane.css as well as how to use it at the Clickjane CSS Github wiki.
Before and after
Here are two example screenshots of a benign clickjacking demo.
Good habits you should get into to mitigate clickjacking risks
Here is a list of behaviors that you should make habitual while you browse the web. Engaging in these behaviors can dramatically reduce the likelihood that you will be victimized by a clickjacking attack.
- Explicitly log out of any service you have logged in to when you are done. That log-out button is there for a reason: use it!
- Avoid providing your browser with “Auto-Complete” information for critical sites, such as your bank.
- Make sure you are running Flash Player 10 or greater, which mitigates this vulnerability for Adobe Flash content.
More resources to learn about clickjacking
- Hackademix.net – More clickjacking links to the OWASP presentation, the white paper, and a blog post showing several CSS-based exploits.