Notes and summaries of key browser security and vulnerabilities.
Clickjacking attacks lure a web user into interacting with a malicious code while thinking they are using something different. The exploit can work in two directions:
- present a fake button/UI, but when the user clicks on it, they are in fact interacting with an underlying victom site
- present a real web page, overlayed with something fake that appears part of the real site (like a fake login popup)
Browsers (currently) do not prevent embedding by default. Victim sites must take active measures to prevent their site being used in this way. Two primary mechanims:
- set X-Frame-Options that instruct the browser to refuse to embed the site
Sites that have historically been valuable targets of this type of attack have all the defences in pace (like facebook, twitter, google etc).