Abstract

Web applications are getting more complex and dynamic. By exploiting layout and JavaScript features of a web page, attackers can create web page objects that hijack users’ clicks. Such objects look like normal web page objects, but users’ clicks on these objects lead to unexpected browser actions, such as visiting different URLs or sending out malicious requests. We call this type of attacks click event hijacking attacks. The Facebook Clickjacking attack is an example, which puts a transparent layer containing the victim web application on top of another web page that lures users to click. While users think they click on the underlying web page, they actually click in the victim web application, resulting in unauthorized actions to the web application. In this paper, we propose a solution to mitigate the problem of click event hijacking by inferring users’ intentions. Our solution ClickGuard ensures that the browser’s behavior after a click matches the user’s original intention. The proposed solution is implemented as a Mozilla Firefox extension and evaluated its effectiveness against click event hijacking attacks.