Clickjacking, also known as a UI redress attack, tricks users into clicking on something different from what they perceive. The attacker creates a malicious page that loads the target website in an invisible iframe positioned over a decoy page. When users think they are clicking buttons on the visible page, they are actually interacting with hidden elements on the target site, potentially performing unintended actions like changing account settings, making purchases, or granting permissions.
How It Works
The attacker creates a web page with two layers. The bottom layer contains enticing content with a visible button or link. The top layer contains an iframe loading the target application, styled with CSS to be completely transparent (opacity: 0) and positioned so that its clickable element aligns precisely with the visible button below. When the victim clicks what appears to be an innocent button, they actually click on the hidden target application's element.
More sophisticated clickjacking variants include drag-and-drop attacks (tricking users into dragging data between frames), likejacking (hijacking social media likes), and cursor-jacking (offsetting the cursor position from its visual location). Multi-step clickjacking guides users through a sequence of clicks to complete complex actions on the target site.
The primary defense against clickjacking is preventing the target page from being loaded inside an iframe. The X-Frame-Options HTTP header instructs browsers to block iframe embedding entirely (DENY) or allow it only from the same origin (SAMEORIGIN). The more flexible Content Security Policy frame-ancestors directive specifies which domains are allowed to embed the page. Modern applications should implement both headers for compatibility with older browsers.
Why It Matters
Clickjacking can turn any authenticated action into an attack, from changing an email address to deleting an account. Security assessments check for missing framing protections because even a single page without proper headers can be exploited. While the individual impact of each click may seem minor, chaining multiple clickjacking steps together can accomplish significant account modifications without the victim's knowledge.
Need your application tested? Get in touch.