capec.mitre.org
Open in
urlscan Pro
198.49.146.205
Public Scan
Submitted URL: http://capec.mitre.org/data/definitions/103.html
Effective URL: https://capec.mitre.org/data/definitions/103.html
Submission: On November 06 via api from GB — Scanned from GB
Effective URL: https://capec.mitre.org/data/definitions/103.html
Submission: On November 06 via api from GB — Scanned from GB
Form analysis 1 forms found in the DOM
/cgi-bin/jumpmenu.cgi
<form action="/cgi-bin/jumpmenu.cgi" style="margin-bottom:0.1em;vertical-align:center;">
<label for="id" style="padding-right:5px">ID Lookup:</label>
<input id="id" name="id" type="text" style="width:50px; font-size:80%" maxlength="10">
<input value="Go" style="padding: 0px; font-size:80%" type="submit">
</form>Text Content
COMMON ATTACK PATTERN ENUMERATION AND CLASSIFICATION
A Community Resource for Identifying and Understanding Attacks
Home > CAPEC List > CAPEC-103: Clickjacking (Version 3.9)
ID Lookup:
--------------------------------------------------------------------------------
* Home
* About
Overview Board Glossary Use Cases Resources Documents FAQs New to CAPEC?
* CAPEC List
Latest Version Downloads Reports Archive
* Community
Community Citations Organization Usage Related Activities Discussion List
Discussion Archives CAPEC User Summit
* News
Current News CAPEC on Twitter CAPEC on LinkedIn CAPEC Blog CAPEC Podcast
CAPEC on YouTube News Archive
* Search
CAPEC-103: CLICKJACKING
Attack Pattern ID: 103
Abstraction: Standard
View customized information:
Conceptual Operational Mapping-Friendly Complete
Description
An adversary tricks a victim into unknowingly initiating some action in one
system while interacting with the UI from a seemingly completely different,
usually an adversary controlled or intended, system.
Extended Description
While being logged in to some target system, the victim visits the adversary's
malicious site which displays a UI that the victim wishes to interact with. In
reality, the clickjacked page has a transparent layer above the visible UI with
action controls that the adversary wishes the victim to execute. The victim
clicks on buttons or other UI elements they see on the page which actually
triggers the action controls in the transparent overlaying layer. Depending on
what that action control is, the adversary may have just tricked the victim into
executing some potentially privileged (and most certainly undesired)
functionality in the target system to which the victim is authenticated. The
basic problem here is that there is a dichotomy between what the victim thinks
they are clicking on versus what they are actually clicking on.
Likelihood Of Attack
Medium
Typical Severity
High
Relationships
This table shows the other attack patterns and high level categories that are
related to this attack pattern. These relationships are defined as ChildOf and
ParentOf, and give insight to similar items that may exist at higher and lower
levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and
CanAlsoBe are defined to show similar attack patterns that the user may want to
explore.
NatureTypeIDNameChildOfMeta Attack Pattern - A meta level attack pattern in
CAPEC is a decidedly abstract characterization of a specific methodology or
technique used in an attack. A meta attack pattern is often void of a specific
technology or implementation and is meant to provide an understanding of a high
level approach. A meta level attack pattern is a generalization of related group
of standard level attack patterns. Meta level attack patterns are particularly
useful for architecture and design level threat modeling exercises.173Action
SpoofingParentOfDetailed Attack Pattern - A detailed level attack pattern in
CAPEC provides a low level of detail, typically leveraging a specific technique
and targeting a specific technology, and expresses a complete execution flow.
Detailed attack patterns are more specific than meta attack patterns and
standard attack patterns and often require a specific protection mechanism to
mitigate actual attacks. A detailed level attack pattern often will leverage a
number of different standard level attack patterns chained together to
accomplish a goal.181Flash File OverlayParentOfDetailed Attack Pattern - A
detailed level attack pattern in CAPEC provides a low level of detail, typically
leveraging a specific technique and targeting a specific technology, and
expresses a complete execution flow. Detailed attack patterns are more specific
than meta attack patterns and standard attack patterns and often require a
specific protection mechanism to mitigate actual attacks. A detailed level
attack pattern often will leverage a number of different standard level attack
patterns chained together to accomplish a goal.222iFrame OverlayParentOfDetailed
Attack Pattern - A detailed level attack pattern in CAPEC provides a low level
of detail, typically leveraging a specific technique and targeting a specific
technology, and expresses a complete execution flow. Detailed attack patterns
are more specific than meta attack patterns and standard attack patterns and
often require a specific protection mechanism to mitigate actual attacks. A
detailed level attack pattern often will leverage a number of different standard
level attack patterns chained together to accomplish a goal.587Cross Frame
Scripting (XFS)
This table shows the views that this attack pattern belongs to and top level
categories within that view.
View NameTop Level CategoriesDomains of AttackSoftware, Social
EngineeringMechanisms of AttackEngage in Deceptive Interactions
Execution Flow
Experiment
1. Craft a clickjacking page: The adversary utilizes web page layering
techniques to try to craft a malicious clickjacking page
TechniquesThe adversary leveraged iframe overlay capabilities to craft a
malicious clickjacking page The adversary leveraged Flash file overlay
capabilities to craft a malicious clickjacking page The adversary leveraged
Silverlight overlay capabilities to craft a malicious clickjacking page The
adversary leveraged cross-frame scripting to craft a malicious clickjacking
page
Exploit
1. Adversary lures victim to clickjacking page: Adversary utilizes some form of
temptation, misdirection or coercion to lure the victim to loading and
interacting with the clickjacking page in a way that increases the chances
that the victim will click in the right areas.
TechniquesLure the victim to the malicious site by sending the victim an
e-mail with a URL to the site. Lure the victim to the malicious site by
manipulating URLs on a site trusted by the victim. Lure the victim to the
malicious site through a cross-site scripting attack.
2. Trick victim into interacting with the clickjacking page in the desired
manner: The adversary tricks the victim into clicking on the areas of the UI
which contain the hidden action controls and thereby interacts with the
target system maliciously with the victim's level of privilege.
TechniquesHide action controls over very commonly used functionality. Hide
action controls over very psychologically tempting content.
Prerequisites
The victim is communicating with the target application via a web based UI and
not a thick client The victim's browser security policies allow at least one of
the following JavaScript, Flash, iFrames, ActiveX, or CSS. The victim uses a
modern browser that supports UI elements like clickable buttons (i.e. not using
an old text only browser) The victim has an active session with the target
system. The target system's interaction window is open in the victim's browser
and supports the ability for initiating sensitive actions on behalf of the user
in the target system
Skills Required
[Level: High]
Crafting the proper malicious site and luring the victim to this site are not
trivial tasks.
Resources Required
None: No specialized resources are required to execute this type of attack.
Consequences
This table specifies different individual consequences associated with the
attack pattern. The Scope identifies the security property that is violated,
while the Impact describes the negative technical impact that arises if an
adversary succeeds in their attack. The Likelihood provides information about
how likely the specific consequence is expected to be seen relative to the other
consequences in the list. For example, there may be high likelihood that a
pattern will be used to achieve a certain impact, but a low likelihood that it
will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Access Control
Authorization
Gain Privileges
Integrity
Modify Data
Confidentiality
Read Data
Availability
Unreliable Execution
Mitigations
If using the Firefox browser, use the NoScript plug-in that will help forbid
iFrames. Turn off JavaScript, Flash and disable CSS. When maintaining an
authenticated session with a privileged target system, do not use the same
browser to navigate to unfamiliar sites to perform other activities. Finish
working with the target system and logout first before proceeding to other
tasks.
Example Instances
A victim has an authenticated session with a site that provides an electronic
payment service to transfer funds between subscribing members. At the same time,
the victim receives an e-mail that appears to come from an online publication to
which they subscribe with links to today's news articles. The victim clicks on
one of these links and is taken to a page with the news story. There is a screen
with an advertisement that appears on top of the news article with the 'skip
this ad' button. Eager to read the news article, the user clicks on this button.
Nothing happens. The user clicks on the button one more time and still nothing
happens.
In reality, the victim activated a hidden action control located in a
transparent layer above the 'skip this ad' button. The ad screen blocking the
news article made it likely that the victim would click on the 'skip this ad'
button. Clicking on the button, actually initiated the transfer of $1000 from
the victim's account with an electronic payment service to an adversary's
account. Clicking on the 'skip this ad' button the second time (after nothing
seemingly happened the first time) confirmed the transfer of funds to the
electronic payment service.
Related Weaknesses
A Related Weakness relationship associates a weakness with this attack pattern.
Each association implies a weakness that must exist for a given attack to be
successful. If multiple weaknesses are associated with the attack pattern, then
any of the weaknesses (but not necessarily all) may be present for the attack to
be successful. Each related weakness is identified by a CWE identifier.
CWE-IDWeakness Name 1021Improper Restriction of Rendered UI Layers or Frames
Taxonomy Mappings
Relevant to the OWASP taxonomy mapping
Entry NameClickjacking
References
[REF-619] "OWASP Web Security Testing Guide". Testing for Clickjacking. The Open
Web Application Security Project (OWASP).
<https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking.html>.
Content History
SubmissionsSubmission DateSubmitterOrganization2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE CorporationModificationsModification
DateModifierOrganization2017-08-04
(Version 2.11)
CAPEC Content TeamThe MITRE CorporationUpdated Attack_Phases, Description
Summary, Examples-Instances, Related_Weaknesses, Resources_Required2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE CorporationUpdated Example_Instances2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE CorporationUpdated References,
Taxonomy_Mappings2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE CorporationUpdated Description, Extended_Description
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018
Site Map | Terms of Use | Manage Cookies | Privacy Policy | Contact Us |
Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the
associated references from this website are subject to the Terms of Use. CAPEC
is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and
Infrastructure Security Agency (CISA) and managed by the Homeland Security
Systems Engineering and Development Institute (HSSEDI) which is operated by The
MITRE Corporation (MITRE). Copyright © 2007–2023, The MITRE Corporation. CAPEC
and the CAPEC logo are trademarks of The MITRE Corporation.