312-50V10 · Question #192
Scenario: 1. Victim opens the attacker's web site. 2. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'. 3. Victim clicks to the
The correct answer is D. Clickjacking Attack. Clickjacking overlays a transparent iframe on top of visible decoy content so that a victim's click is captured by the hidden frame rather than the intended link.
Question
Options
- ASession Fixation
- BHTML Injection
- CHTTP Parameter Pollution
- DClickjacking Attack
How the community answered
(42 responses)- A5% (2)
- B2% (1)
- C2% (1)
- D90% (38)
Why each option
Clickjacking overlays a transparent iframe on top of visible decoy content so that a victim's click is captured by the hidden frame rather than the intended link.
Session Fixation forces a known session identifier onto a victim before they authenticate, which is unrelated to iframe overlaying or visual deception.
HTML Injection inserts unsanitized HTML markup into a page to alter its appearance or function, but does not use a transparent iframe to redirect mouse clicks.
HTTP Parameter Pollution injects duplicate or conflicting parameters into HTTP requests to manipulate server-side logic, not the visual rendering layer of a page.
Clickjacking, also called a UI redress attack, works by positioning a transparent or invisible iframe containing the attacker's target over attractive decoy content visible to the user. When the victim clicks what appears to be the '$1000 a day' link, the click event is actually intercepted by the transparent iframe, causing the victim to unknowingly interact with the attacker's chosen resource. This technique exploits the browser's compositing layer and can be mitigated with response headers such as X-Frame-Options or Content-Security-Policy frame-ancestors.
Concept tested: Clickjacking UI redress attack using transparent iframes
Source: https://owasp.org/www-community/attacks/Clickjacking
Topics
Community Discussion
No community discussion yet for this question.