Clickjacking is the malicious technique of tricking a user into clicking on something different than what the user intends to click on. This can result in confidential information being revealed or taking control of the user’s browser. Embedded code or scripts can execute without a user’s knowledge by clicking on a button that appears to perform another function. Examples of these exploits include the following:
- Tricking users into making a social media profile public.
- Following someone on Twitter/Sharing links on Facebook.
- Purchasing products from websites.
Cross-Site Request Forgery
A cross-site request forgery is a malicious exploit where unauthorized commands are transmitted from a user that the website trusts. The attack works by including a link or script in a page that accesses a site to which the user is known to have been authenticated. The following characteristics are common to cross-site request forgeries:
- It involves sites that rely on a user’s identity.
- It exploits the site’s trust in that identity.
- It tricks the user’s browser into sending HTTP requests to a target site.
- It involves HTTP request that have side effects.
The Confused Deputy Problem
A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. These types of attacks can be classified at privilege escalation attacks. Both clickjacking and cross-site request forgeries are examples of the a confused deputy problem. In cross-site request forgeries, the user’s web browser acts as the confused deputy, where as in clickjacking, the user is the confused deputy. Another example of this type of attack is an FTP bounced attack, which can allow an attacker to indirectly connect to TCP ports that the attack’s machine has no access to. In this example, the remote FTP server is the confused deputy.
The Main Difference
The major difference between these two very similar attacks is who the deputy is. In cross-site request forgeries, the web browser is doing things on the user’s behalf. An example would be the browser loading every image on a malicious website and one of those images being an “action” rather than an image. The user didn’t do anything except for load the page, and the browser loads the images. With clickjacking, the user is actively interacting with something on the webpage. There is an extra layer between the user and the desired action, and the user is tricked into executing whatever the extra layer entails.