Clickjacking

Clickjacking (UI Redressing) is an attack where a malicious page tricks users into clicking on hidden or disguised elements from another site, typically by overlaying transparent iframes. Victims believe they're interacting with the visible page but are actually clicking on the hidden target.

How It Works

The attacker creates a page that loads the target site in a transparent iframe positioned over deceptive content. When users click on what appears to be the attacker's page, they're actually clicking buttons or links on the hidden target site.

Basic Clickjacking Example

<style>
  iframe {
    position: absolute;
    top: 0; left: 0;
    width: 500px;
    height: 200px;
    opacity: 0;  /* Invisible */
    z-index: 2;
  }
  .decoy {
    position: absolute;
    top: 50px; left: 100px;
    z-index: 1;
  }
</style>

<!-- Hidden target (e.g., "Delete Account" button) -->
<iframe src="https://target.com/settings"></iframe>

<!-- Visible decoy -->
<button class="decoy">Click to Win a Prize!</button>

Attack Scenarios

• Tricking users into changing security settings
• Unauthorized social media actions (likes, follows)
• Initiating fund transfers
• Enabling webcam/microphone permissions

Protection Headers

# Legacy header
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

# Modern CSP approach
Content-Security-Policy: frame-ancestors 'none'
Content-Security-Policy: frame-ancestors 'self'

See Also

• Content Security Policy
• Cross-Site Request Forgery