The Difference Between CSRF and Clickjacking

This might be obvious to those most familiar with CSRF and Clickjacking, but for those just getting a handle on it, here’s a short explanation of a fundamental difference between the two issues.

CSRF is your browser doing things on your behalf, without you clicking on something directly. A good example of this is your browser loading every image on a hostile website, and having one of those images be an “action” rather than an image. The point is that with CSRF you didn’t really do anything except load the page, and the browser then takes over from there to manifest the vulnerability.

With Clickjacking the user actually does actively interact with something, but the action itself can be “hijacked” by placing a layer between the user and the legitimate action. So imagine that you in a room with an apple on a pedestal, and as you reach for the apple you break an infrared laser beam and open a trap door.

You really did go for the apple with your own hand (unlike CSRF), but in the process you transparently triggered another action that you may not like. The trick for the attacker (using that analogy) is rigging up different types of triggers (infrared lasers) and actions (trapdoor).


Related posts: