Show TOC

ClickjackingLocate this document in the navigation structure

Clickjacking is a UI redressing attack, where an attacker tricks a user into clicking on something and the user is unware of the action being executed.

Typically a clickjacking attack occurs on the web page of an attacker, which the user (the victim) is visiting. This page normally contains interesting stuff so that the victim's motivation to visit the site is as high as possible.

On top of the visible page of the attacker, the attacker puts an iFrame, which contains a page which is the target of the attack. The attacker sets the iFrame to be invisible and places it so that items that the attacker wants to be clicked are located on top of items the user wants to click on the visible page of the attacker. The victim clicks on the invisible page in the iFrame and executes an action within this page.

Attacks can be constructed where a victim is tricked into clicking several times.

What Do I Get from SAP NetWeaver?

To protect against such kind of attacks, we have created a clickjacking framing protection function. There are other ways to protect against such attacks in the public domain, but these methods do not generally fit to complex business scenarios. You can find such methods in the Internet under the terms clickjacking or UI redressing.

Clickjacking framing protection works as follows:

First the page which needs to be protected is made invisible so that the content of the page cannot be rendered. This is done using a style sheet. It is also possible to block events of a page using the unified rendering so that any events, including clicks, are blocked.

If the page checks that it should be rendered in a trusted environment the style sheet will be removed again so that the page content becomes visible. In an untrusted environment the page remains invisible.

Prerequisites

  • There must be a whitelist service available where the application can check whether a given parent is trustworthy or not. The service must be accessible for the application and must have a storage to store the list of trusted URLs.

  • The application which needs to be protected must insert a style sheet into its content to make it invisible initially.

  • The application must include the script function responsible for checking whether the application is running in a trusted environment and enabling the content if running in trusted environment.

What Do I Need to Do?

If you use one of the supported frameworks, you do not have to develop anything, otherwise you must do your own implementation.

Related Information