Explained: Gesturejacking and Clickjacking
Swapan
Posted on April 4, 2024
Gesturejacking vs Clickjacking :
In these attacks, hacker trick users into doing unintended actions. Here's a breakdown of the three:
- Gesturejacking: Exploits keystrokes in hidden windows.
- Clickjacking: Uses invisible overlays on legitimate websites.
Clickjacking Explained:
Clickjacking is also referred as a UI redress attack or user interface (UI) overlay attack, is a malicious technique in which an attacker leads a user into interacting with a concealed element on a web page. This deception is achieved by superimposing a concealed element over another element or by positioning it in a manner that escapes the user's notice. As a result, users may perform actions they did not intend to do, such as granting unauthorized permissions/initiating unintended actions/ disclosing sensitive information.
Gesturejacking (Cross-Window Forgery) Explained:
Gesturejacking exploits a vulnerability in browsers where keystrokes in one window affect another, which is usually hidden in a window.
Here's an example of a gesture jacking attack in HTML:
<!DOCTYPE html>
<html>
<head>
<title>Safe Website (Appears Safe)</title>
</head>
<body>
<p>Press and hold Enter to continue!</p>
<iframe src="attackersite.com#exploit" style="display: none;"></iframe>
</body>
</html>
Prevention Tips:
- Update your browser regularly : Regularly updating your web browser is key safeguard against evolving security threats like gesture jacking, clickjacking, and clockjacking.
- Be cautious of unusual website behavior: Verify the website you intend to visit, remain vigilant for any unusual or suspicious behavior exhibited on the websites. Take note of unexpected prompts, urgent requests, or unfamiliar actions, and verify the legitimacy of the website before proceeding further.
- Consider anti-clickjacking extensions : Installing (reputable) browser extensions specifically designed to detect and prevent clickjacking attacks. These extensions add an extra layer of security.
- Implement User Input Sanitization (HTML5): In HTML5, leverage features such as input type attributes, pattern validation, and client-side scripting (e.g., JavaScript) to sanitize and validate user input directly in the browser. Use input types like "email," "tel," and "number" along with regular expressions (Regex) to ensure that user inputs conform to expected formats and prevent malicious input.
Mitigating Gesture Jacking in HTML/JavaScript:
While directly controlling gesture jacking through HTML/JavaScript is challenging, you can take steps to minimize its impact:
- Disabling Key Capture in iframes: In case you have control over the server-side code or the embedding of iframes in your web pages, consider adding headers to iframes to disallow capturing keystrokes. For example, in PHP:
header("Content-Security-Policy: frame-ancestors 'none'");
This header prevents the iframe from capturing keystrokes, reducing the risk of gesture jacking.
In HTML
<iframe src="example.com" sandbox="allow-scripts"></iframe>
Using the sandbox attribute with the value allow-scripts can restrict key events in iframes:
- Use Content Security Policy (CSP): Adding a Content Security Policy can further enhance security by specifying which resources (such as scripts, stylesheets, and fonts) are allowed to be loaded / executed on your web page. One can configure CSP directives to block inline scripts and restrict the use of eval() functions, which can help mitigate the execution of malicious scripts that may be involved in gesture jacking attempts.
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
Conclusion and References:
By staying updated, being cautious online, and practicing proper input validation along with sanitizating your code, one can significantly reduce the risk of falling victim to gesture jacking and clickjacking.
Please feel free to add/Suggest.
References:
- Gesture Jacking Explained: PortSwigger
- Clickjacking Defense Strategies: OWASP Cheat Sheet
Posted on April 4, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.