Click Jacking OR UI redress Attack


This post is part of a multi-post series on application security threats and their solutions. Please visit my introduction article here to know about more security threats and their solutions.

In click-jacking attacker hijack user’s click. Click-jacking (also known as a “UI redress attack”) is when an attacker uses multiple transparent/opaque layers to trick a user into apparently clicking, dragging or typing into a visible webpage, when in actual fact the user actions interact with a different page. Thus, the attacker effectively “hijacks” clicks meant for the visible page by routing them to another page, most often belonging to another application, domain, or both.



To avoid this kind of attack we need to implement something called a frame killer. A frame killer / frame buster / frame breaker is a piece of JavaScript code that prevents a web Page from being displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window. This kind of script is often used to prevent a frame from an external Web site being loaded from within a frameset without permission, often as part of click-jacking attack.


FrameKiller Code Implementation

We need to implement following code in each and every web page. But if your web site is based on Master page concept and each page is displayed inside it then this code can be implemented in Master page itself. No need to implement in all the pages, as each page inherits from a Master page and so the frame killer code will be.

The logic of this script is to disable presentation of the page by default and enable it only in top location.
body { display : none;}

if (self == top)
var theBody = document.getElementsByTagName(‘body’)[0]; = “block”
top.location = self.location;
This code should be implemented in conjunction with the secure response header. So in Global.asax file we need to implement following code.
void Application_BeginRequest(object sender, EventArgs e)
this.Response.Headers[“X-FRAME-OPTIONS”] = “DENY”;


Use the Security Attribute

Internet Explorer 6 and later support a new security attribute for the <frame> and <iframe> elements. You can use the security attribute to apply the user’s Restricted Sites Internet Explorer security zone settings to an individual frame or iframe. By default, the Restricted Sites zone does not support script execution. If you use the security attribute, it must be set to “restricted” as below:

Hope this will help. Stay tuned for more posts on the security implementation in web applications.



Leave a Comment