Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closes issue #1577 #1605

Closed
wants to merge 2 commits into from
Closed

Closes issue #1577 #1605

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
95ed681
Updated cheat sheet: Removed EMET and added new recommendations.
caffeine-rohit Jan 30, 2025
16e84a3
Updated Clickjacking cheat sheet by adding valuable information about…
caffeine-rohit Feb 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions cheatsheets/C-Based_Toolchain_Hardening_Cheat_Sheet.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -648,6 +648,10 @@ Visual Studio offers a number of debugging aids for use during development. The

![Windows1](../assets/C-Based_Toolchain_Hardening_Windows1.png)

Finally, for runtime hardening, Microsoft has a helpful tool called EMET. EMET is the [Enhanced Mitigation Experience Toolkit](https://en.wikipedia.org/wiki/Enhanced_Mitigation_Experience_Toolkit), and allows you to apply runtime hardening to an executable which was built without it. It's very useful for utilities and other programs that were built without an SDLC.
Finally, for runtime hardening, Microsoft provides **Windows Defender Exploit Guard** and the **Process Mitigation Management Tool**.
[Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection) replaces EMET and offers advanced exploit protection features.

![Windows2](../assets/C-Based_Toolchain_Hardening_Windows2.png)
Additionally, the [Process Mitigation Management Tool](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection) (`ProcessMitigations` module) allows administrators to configure exploit mitigation policies via PowerShell and Group Policy.

![Windows2](exploit-protection-guard.png)

127 changes: 125 additions & 2 deletions cheatsheets/Clickjacking_Defense_Cheat_Sheet.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
# Clickjacking Defense Cheat Sheet
# Clickjacking and Double Clickjacking Defense Cheat Sheet

## Introduction

This cheat sheet is intended to provide guidance for developers on how to defend against [Clickjacking](https://owasp.org/www-community/attacks/Clickjacking), also known as UI redress attacks.
This cheat sheet is intended to provide guidance for developers on how to defend against [Clickjacking](https://owasp.org/www-community/attacks/Clickjacking), also known as UI redress attacks and Double Click Jacking.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be "Double Clickjacking", not "Double Click Jacking".

Also, let's give credit where credit is due, shall we and link the "Double Clickjackin" to Yibelo's blog post at https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html?m=1.

# Clickjacking
There are three main mechanisms that can be used to defend against these attacks:

- Preventing the browser from loading the page in frame using the [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) or [Content Security Policy (frame-ancestors)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) HTTP headers.
Expand Down Expand Up @@ -311,3 +312,125 @@ Activate [designMode](https://developer.mozilla.org/en-US/docs/Web/API/Document/
```javascript
document.designMode = "on";
```
# Double Clickjacking

## Introduction

Double Clickjacking is an advanced form of Clickjacking that exploits user interactions by requiring two consecutive clicks to execute a malicious action. Attackers use this technique to bypass security mechanisms that rely on single-click protections, making it more difficult to detect and prevent. Unlike traditional Clickjacking, which usually relies on a single user action, Double Clickjacking introduces an additional interaction to increase the success rate of the attack and evade common security measures.

## Attack Scenario

1. The attacker loads a malicious webpage that contains a transparent iframe overlaying a legitimate website.

2. The user is tricked into clicking an element, such as a button or link, thinking it belongs to the attacker's site.

3. The first click moves the transparent iframe into position over a critical UI element of the target website.

4. The second click executes the action, such as transferring funds, changing security settings, or posting content without user consent.

## Mitigation Strategies

To defend against Double Clickjacking, implement the following strategies:

### 1. Frame Busting

Prevent your site from being embedded within an iframe by using frame-busting techniques, such as:

<script>
if (self !== top) {
top.location = self.location;
}
</script>

Comment on lines +339 to +343
Copy link
Collaborator

@kwwall kwwall Feb 1, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not a JavaScript expert by any means, but it's my understanding that this simple script is not even enough to mitigate simple Clickjacking, so why do you think this would be effective against Double Clickjacking?

The currently suggested script is way more complex. That's why I suggested you refer to as part of my reply in OWASP Slack. This is what we currently recommend for simple Clickjacking frame breaking techniques:
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html#best-for-now-legacy-browser-frame-breaking-script

Can you explain why this wouldn't work? (If I had to guess--I've not tested it--I think that it would.) But I don't think the trivial script above is likely to be effective for the same reasons it's been found ineffective for simple Clickjacking attacks.

In fact Yibelo suggests this as framebusting script:

    (function(){
    if (window.matchMedia && window.matchMedia("(hover: hover)").matches) {
        var buttons = document.querySelectorAll('form button, form input[type="submit"]');
        buttons.forEach(button => button.disabled = true);
        
        function enableButtons() {
            buttons.forEach(button => button.disabled = false);
        }
        
        document.addEventListener("mousemove", enableButtons);
        document.addEventListener("keydown", e => {
            if(e.key === "Tab") enableButtons();
        });
    }
})();

I for one have no idea how this works, but I would tend to put more faith in this than the simple JavaScript you have proposed.

#### Considerations:

Frame-busting scripts help prevent iframes but can be bypassed in some cases using JavaScript modifications.

Attackers may use techniques like dynamically injecting iframes post-load to evade frame-busting mechanisms.

### 2. X-Frame-Options Header

Use the X-Frame-Options HTTP header to restrict iframe embedding:

X-Frame-Options: DENY

Alternatively, allow only trusted domains:

X-Frame-Options: SAMEORIGIN

#### Limitations:

Some browsers do not support X-Frame-Options.

Attackers can still use UI redressing techniques to manipulate users into clicking unintended elements.

### 3. Content Security Policy (CSP) Frame-Ancestors

Use CSP to control which domains can embed your site:

Content-Security-Policy: frame-ancestors 'self' https://trusted.example.com;

#### Limitations:

CSP-based protections only work when enforced properly and do not protect against all forms of Clickjacking.

Attackers can still use overlays or timing-based click manipulation to deceive users.

Comment on lines +351 to +377
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you not read Yibelo's post that I linked to in issue #1577? There Yibelo states (emphasis mine):

DoubleClickjacking is a new variation on this classic theme: instead of relying on a single click, it takes advantage of a double-click sequence. While it might sound like a small change, it opens the door to new UI manipulation attacks that bypass all known clickjacking protections, including the X-Frame-Options header, CSP's frame-ancestors and SameSite: Lax/Strict cookies. This technique seemingly affects almost every website, leading to account takeovers on many major platforms.

It is pointless to mention these as defenses if they are ineffective for Double Clickjacking. In addition, they are already thoroughly discussed in the original simple Clickjacking defense. So, IMO, this adds zero value and it in fact detrimental as it is misleading. Please delete it.

### 4. Double-Click Confirmation

Implement a double-click confirmation mechanism for critical actions to prevent unintended interactions.
#### Example:

<button onclick="confirmAction()">Submit</button>
<script>
function confirmAction() {
if (!this.clickedOnce) {
this.clickedOnce = true;
alert('Click again to confirm action.');
} else {
// Proceed with the action
}
}
</script>
Comment on lines +384 to +393
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jmanico @mackowski @szh - JavaScript is not my forte. In fact, I only learn enough of it to create some very simple PoC exploits, so I am not qualified to review this. If I were, I would have submitted a PR myself.


#### Effectiveness:

Adds an extra layer of user verification.

However, attackers could mimic this behavior to trick users into clicking twice unintentionally.

### 5. Visual Feedback Mechanisms

Ensure that users receive immediate visual feedback on interactions to prevent hidden UI manipulation. Techniques include:

Highlighting clicked elements.

Requiring explicit user confirmation through modal dialogs.

Disabling buttons for a short time after the first click to prevent rapid unintended actions.

Implementing progressive disclosure, where critical actions require an additional confirmation step.

Comment on lines +406 to +412
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make these bullet items.

## Additional Considerations

Security research has shown that some traditional defenses, such as X-Frame-Options, Content-Security-Policy (frame-ancestors directive), and the SameSite cookie attribute, may not be effective against all advanced Clickjacking attacks. Attackers can use sophisticated techniques such as dynamic iframe injections, CSS manipulations, and JavaScript-based click tracking to circumvent protections.

- **To improve security:**

Combine multiple defenses rather than relying on a single approach.

Implement real-time click behavior analysis to detect rapid or suspicious interactions.

Use server-side logging to track click patterns and identify potential clickjacking attempts.

Educate users about deceptive UI elements and how to recognize malicious behavior.

## Conclusion

Double Clickjacking is a sophisticated attack that leverages multiple user interactions to bypass traditional Clickjacking defenses. Implementing a combination of X-Frame-Options, Content-Security-Policy, JavaScript-based frame-busting techniques, UI feedback mechanisms, and real-time user behavior analysis can help mitigate this risk effectively. Organizations should adopt a layered security approach to protect against evolving threats and continuously assess the effectiveness of their Clickjacking defenses.

### For a more in-depth understanding of double-click jacking and its implications, you can refer to the following articles:

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find it curious that all 3 of these referenced in-depth links start out by giving direct credit to Paulos Yibelo who is the one who first discussed (and presumably discovered) Double Clickjacking, and yet you don't link to Yibelo's blog post, https://www.paulosyibelo.com/2024/12/doubleclickjacking-what.html?m=1. That should be the primary reference. I think it's inexcusable to do otherwise.

- [New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections](https://thehackernews.com/2025/01/new-doubleclickjacking-exploit-bypasses.html)
- [Don’t Click Twice—New Chrome, Edge, Safari Hack Attack Warning](https://www.forbes.com/sites/daveywinder/2025/01/05/dont-click-twice-new-chrome-edge-safari-hack-attack-warning/)
- [Emerging ‘DoubleClickjacking’ Threat Exploits Double-Clicks for Account Hijacking](https://www.bitdefender.com/en-us/blog/hotforsecurity/emerging-doubleclickjacking-threat-exploits-double-clicks-for-account-hijacking)
Binary file added exploit-protection-guard.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading