Input Validation / Potential Clickjacking (UI Redressing)

Description

Clickjacking (UI Redressing) is a type of attack that occurs when an attacker uses multiple transparent or opaque layers to deceive a user into clicking on a button or link on another page when they were expecting to click on the top level page. This attack can be used to perform any action the user can do on the attacked page. This attack is described as CWE-1021: Improper Restriction of Rendered UI Layers or Frames. The OWASP project describes this vulnerability and mitigations, and the Web Security Testing Guide (OWASP WSTG) instructs how to test for it.

Risk

Clickjacking can be used to perform unauthorized actions, such as deleting data, transferring funds, or changing settings. The risk of this vulnerability is high, and it can be used to compromise the confidentiality, integrity, and availability of data.

Solution

To protect against clickjacking the following mitigation options are available. A more comprehensive overview is given by the OWASP Clickjacking Defense Cheat Sheet.

• Using a proper Content Security Policy with the frame-ancestors directive to prevent the inclusion of the site in frames hosted on other sites. Additionally, the X-Frame-Options header should be specified for compatibility with older browsers
• Authentication Cookies should have the SameSite attribute set to lax or strict.
• JavaScript code may be employed to prevent the site from being loaded in a frame.