nerdexam
EC-Council

312-50V11 · Question #192

Scenario: 1. Victim opens the attacker's web site. 2. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'. 3. Victim clicks to the

The correct answer is D. Clickjacking Attack. Clickjacking tricks users into clicking hidden elements by overlaying a transparent iframe on top of visible, attractive content.

Hacking Web Applications

Question

Scenario: 1. Victim opens the attacker's web site. 2. Attacker sets up a web site which contains interesting and attractive content like 'Do you want to make $1000 in a day?'. 3. Victim clicks to the interesting and attractive content url. 4. Attacker creates a transparent 'iframe' in front of the url which victim attempt to click, so victim thinks that he/she clicks to the 'Do you want to make $1000 in a day?' url but actually he/she clicks to the content or url that exists in the transparent 'iframe' which is setup by the attacker. What is the name of the attack which is mentioned in the scenario?

Options

  • ASession Fixation
  • BHTML Injection
  • CHTTP Parameter Pollution
  • DClickjacking Attack

How the community answered

(49 responses)
  • A
    4% (2)
  • B
    2% (1)
  • D
    94% (46)

Why each option

Clickjacking tricks users into clicking hidden elements by overlaying a transparent iframe on top of visible, attractive content.

ASession Fixation

Session Fixation forces a victim to authenticate using a pre-set session token controlled by the attacker - it does not involve iframe overlays or click interception.

BHTML Injection

HTML Injection inserts unsanitized HTML markup into a web page to alter its content or structure, not to overlay invisible iframes and intercept user clicks.

CHTTP Parameter Pollution

HTTP Parameter Pollution manipulates duplicate HTTP parameters to bypass input filters or cause inconsistent server behavior, and is unrelated to visual overlay techniques.

DClickjacking AttackCorrect

Clickjacking, also called a UI redress attack, works by rendering a transparent iframe over a page element the victim intends to click, so the actual click is registered by the hidden iframe content instead. The attacker lures the victim with engaging bait content and harvests the click to perform unintended actions such as authorizing transactions or changing account settings. The transparent iframe is the defining technical mechanism of this attack.

Concept tested: Clickjacking UI redress attack using transparent iframes

Source: https://owasp.org/www-community/attacks/Clickjacking

Topics

#clickjacking#iframe#UI redressing#web attack

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice