CAPEC-103: Clickjacking

Description
An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system.
Extended Description

While being logged in to some target system, the victim visits the adversary's malicious site which displays a UI that the victim wishes to interact with. In reality, the clickjacked page has a transparent layer above the visible UI with action controls that the adversary wishes the victim to execute. The victim clicks on buttons or other UI elements they see on the page which actually triggers the action controls in the transparent overlaying layer. Depending on what that action control is, the adversary may have just tricked the victim into executing some potentially privileged (and most certainly undesired) functionality in the target system to which the victim is authenticated. The basic problem here is that there is a dichotomy between what the victim thinks they are clicking on versus what they are actually clicking on.

Severity :

High

Possibility :

Medium

Type :

Standard
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-173: Action Spoofing Action Spoofing CAPEC-181: Flash File Overlay Flash File Overlay CAPEC-222: iFrame Overlay iFrame Overlay CAPEC-587: Cross Frame Scripting (XFS) Cross Frame Scripting (XFS)
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The victim is communicating with the target application via a web based UI and not a thick client
  • The victim's browser security policies allow at least one of the following JavaScript, Flash, iFrames, ActiveX, or CSS.
  • The victim uses a modern browser that supports UI elements like clickable buttons (i.e. not using an old text only browser)
  • The victim has an active session with the target system.
  • The target system's interaction window is open in the victim's browser and supports the ability for initiating sensitive actions on behalf of the user in the target system
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • High Crafting the proper malicious site and luring the victim to this site are not trivial tasks.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

OWASP Attacks | Clickjacking
Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-1021: Improper Restriction of Rendered UI Layers or Frames

Visit http://capec.mitre.org/ for more details.