nerdexam
EC-Council

312-50V10 · Question #192

Scenario: 1. Victim opens the attacker's web site. 2. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'. 3. Victim clicks to the

The correct answer is D. Clickjacking Attack. Clickjacking overlays a transparent iframe on top of visible decoy content so that a victim's click is captured by the hidden frame rather than the intended link.

Hacking Web Applications

Question

Scenario: 1. Victim opens the attacker's web site. 2. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'. 3. Victim clicks to the interesting and attractive content url. 4. Attacker creates a transparent 'iframe' in front of the url which victim attempt to click, so victim thinks that he/she clicks to the 'Do you want to make $1000 in a day?' url but actually he/she clicks to the content or url that exists in the transparent 'iframe' which is setup by the attacker. What is the name of the attack which is mentioned in the scenario?

Options

  • ASession Fixation
  • BHTML Injection
  • CHTTP Parameter Pollution
  • DClickjacking Attack

How the community answered

(42 responses)
  • A
    5% (2)
  • B
    2% (1)
  • C
    2% (1)
  • D
    90% (38)

Why each option

Clickjacking overlays a transparent iframe on top of visible decoy content so that a victim's click is captured by the hidden frame rather than the intended link.

ASession Fixation

Session Fixation forces a known session identifier onto a victim before they authenticate, which is unrelated to iframe overlaying or visual deception.

BHTML Injection

HTML Injection inserts unsanitized HTML markup into a page to alter its appearance or function, but does not use a transparent iframe to redirect mouse clicks.

CHTTP Parameter Pollution

HTTP Parameter Pollution injects duplicate or conflicting parameters into HTTP requests to manipulate server-side logic, not the visual rendering layer of a page.

DClickjacking AttackCorrect

Clickjacking, also called a UI redress attack, works by positioning a transparent or invisible iframe containing the attacker's target over attractive decoy content visible to the user. When the victim clicks what appears to be the '$1000 a day' link, the click event is actually intercepted by the transparent iframe, causing the victim to unknowingly interact with the attacker's chosen resource. This technique exploits the browser's compositing layer and can be mitigated with response headers such as X-Frame-Options or Content-Security-Policy frame-ancestors.

Concept tested: Clickjacking UI redress attack using transparent iframes

Source: https://owasp.org/www-community/attacks/Clickjacking

Topics

#clickjacking#transparent iframe#UI redressing#web attack

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice