The Clickjacked Website

The Network: A high technology provider on the U.S. East Coast with several hundred servers, including internal web servers and a popular external facing website.

The Expectation: As a typical modern enterprise, web services and applications are used extensively, both inside and outside the company, to enable digital transformation as well as eCommerce and government self-service.

The Catch: Netsurion’s EventTracker Security Operations Center (SOC) identified various websites, including the external facing one, that were vulnerable to Clickjacking attacks. Also known as a UI Redress Attack, Clickjacking is a malicious technique of tricking a user into clocking on something that seems legitimate, revealing confidential information like bank account data or allowing others to take control of the computer or server.

The Find: Given the extensive penetration of web services today, website developers in every organization need to test for vulnerabilities, especially the Top 10 from OWASP. Failing to do so can expose critical company confidential data to attackers.

The Lesson: Putting company information on a website allows for easy access internally or externally. Failing to protect that website can create a security gap that attackers can exploit for monetary gain.