Spread the love

A malicious website assault known as “clickjacking” tricks users into clicking on links they didn’t want to. Another name for a clickjacking assault is UI redressing. The reason for this is that the attacker “redresses” the user’s interface with an unseen frame, which deceives them into acting in ways they wouldn’t normally.

This article will assist you in comprehending clickjacking, identifying it, and taking preventative measures to shield your website’s visitors from these attacks.

What Is Clickjacking?

The most common type of clickjacking attacks are called overlay attacks. These are made possible by invisible frames (iframes) in which attackers cover a legitimate-looking web page with an interface that the user cannot see, for malicious purposes. 

Used properly, iframes have many legitimate uses. For example, an iframe may be used to embed a video from Vimeo or YouTube into a blog post or other page of your website. The video can be played right from the page because it lives in an iframe. 

In clickjacking, an iframe is used to make a user believe they are clicking one thing (downloading a PDF, for example) when they are actually doing something else (such as making an unintended purchase or downloading malware).

Overlays are not the only way to execute a clickjacking attack, but the end result of any type of clickjacking attack is that the user is tricked into unintended actions by malicious elements disguised as legitimate ones.

The attack is possible thanks to HTML frames (iframes), the ability to display web pages within other web pages through frames. If a web page allows itself to be displayed within a frame, an attacker can cover the original web page with a hidden, transparent layer with its own JavaScript and UI elements. The attacker then tricks users into visiting the malicious page, which looks just like a site users know and trust.

There is no indication there is a hidden UI layered over the original site. Users click a link or a button, expecting a particular action from the original site, and the attacker’s script runs instead. But the attacker’s script can also execute the expected action to make it appear nothing has gone wrong.

Read Also: Cryptojacking: What You Need To Know About This Growing Cyber Threat

Clickjacking itself is not the end goal of the attack; it is simply a means of launching some other attack by making users think they are doing something safe. The actual attack can be virtually anything possible via web pages. This ranges from malicious actions, such as installing malware or stealing credentials, to more innocuous things, such as boosting click stats on unrelated sites, boosting ad revenues on sites, gaining likes on Facebook, or increasing views of YouTube videos.

The invisible page could be a malicious page, or a legitimate page the user did not intend to visit – for example, a page on the user’s banking site that authorizes the transfer of money.

There are several variations of the clickjacking attack, such as:

  • Likejacking – a technique in which the Facebook “Like” button is manipulated, causing users to “like” a page they actually did not intend to like.
  • Cursorjacking – a UI redressing technique that changes the cursor for the position the user perceives to another position. Cursorjacking relies on vulnerabilities in Flash and the Firefox browser, which have now been fixed.

Clickjacking attack example

  1. The attacker creates an attractive page which promises to give the user a free trip to Tahiti.
  2. In the background the attacker checks if the user is logged into his banking site and if so, loads the screen that enables transfer of funds, using query parameters to insert the attacker’s bank details into the form.
  3. The bank transfer page is displayed in an invisible iframe above the free gift page, with the “Confirm Transfer” button exactly aligned over the “Receive Gift” button visible to the user.
  4. The user visits the page and clicks the “Book My Free Trip” button.
  5. In reality the user is clicking on the invisible iframe, and has clicked the “Confirm Transfer” button. Funds are transferred to the attacker.
  6. The user is redirected to a page with information about the free gift (not knowing what happened in the background).

How Does a Clickjacking Attack Work?

Attackers may use several variations when designing a clickjacking attack, but here is one classic example of how an attack may play out.

  • An Attacker Creates a Malicious Dummy Website 

A clickjacker creates a malicious page (e.g., dummy.com) and includes an iframe containing the target website (a legitimate site, e.g., legit.com). Using styling, the iframe will be set to be invisible and positioned in a way that the invisible button in legit.com is located directly on top of a dummy button on dummy.com. This way, when the user clicks on the dummy button they see, they’re actually clicking on the invisible button.

  • Victims Visit the Webpage

With their dummy web page in place, attackers typically use social engineering tactics, such as fraudulent emails, to entice victims to visit. The emails may tell victims they have won a prize or make them some irresistible offer to draw them in.

  • Unintended Action is Executed

Once the attacker has tricked a victim into visiting the website, the victim clicks to claim a bogus offer or perform some other action. When they do, the action the attacker intended, rather than what the victim intended to do, is executed by the victim’s browser.

How to Detect Clickjacking

Technically speaking, any website that is open to being embedded in an iframe may be vulnerable to clickjacking attacks. This is why it’s so important for both website administrators and end users to be proactive in preventing them.

So how can you test your site’s vulnerability to clickjacking? One method is to code a specific page of HTML and use it to try to embed a sensitive page of your site in an iframe. The OWASP provides a sample of HTML code to perform this test. 

Most methods for protecting against clickjacking rely on the origin of the page — i.e., the fact that the domain of the malicious page is different from the domain of the legitimate page (e.g., dummy.com vs. legit.com). So when running this test page, it’s best not to run it under the same domain as the targeted page (e.g. legit.com). 

Once you run the HTML, it should tell you whether the page you are testing is vulnerable to clickjacking. With further testing, you can determine whether any protections already in place on the page could be evaded by a clickjacking attack.

How to Prevent Clickjacking

You can defend your website against clickjacking attacks via client-side or server-side prevention.

Client-side Prevention

From the client side, there are three main methods of clickjacking prevention, all related to browsers.

  • Intersection Observer API

While you may not be able to control what browsers your users are using, most modern browsers already support Intersection Observer API. This Javascript API allows detecting the visibility of target elements. It lets a webpage “know” if a specific component in the page, or the entire page, is visible to the user. This knowledge can be used to identify whether the content of a web page is invisible to the user (even if contained within an iframe).

  • Browser Add-ons

There are also a handful of browser add-ons designed to guard against clickjacking, including NoScript and NoClickjack. These add-ons are not compatible with every browser, but their availability is on the rise.

  • Frame Busting

Frame busting is the practice of using JavaScript to keep a web page from being loaded in a frame. It’s effective even in legacy browsers that don’t support newer methods such as the Intersection Observer API or the X-Frame-Options header & CSP mentioned below. 

Note: Frame Busting is exposed to being overridden by the containing, dummy, page.

Server-side Prevention

Coming from the server side, there are several ways to guard against clickjacking. Where possible, it’s best to use more than one method to improve your defenses.

  • X-Frame-Options Header

This frame option can be added to HTTP as a response header. The HTTP response header is designed to allow the server to tell the client (web browser) if the specific page is allowed to be shown within an iframe. Most major browsers enforce this restriction. Once the website administrator establishes the X-Frame-Options of the site, the header will enforce one of the following framing policies as designated:

  • SAMEORIGIN: only framing from the same website(s) is allowed
  • DENY: all framing is forbidden

X-Frame-Options is an older alternative and became obsolete by the Content Security Policy standard (covered below), yet it is still supported by modern browsers.

  • frame-ancestors Directive in Content Security Policy

The frame-ancestors directive is designed to replace the X-Frame-Options header. As part of Content Security Policy (CSP), the frame-ancestors directive can either allow or disallow framed content from being embedded. On pages that include both the X-Frame-Options header and frame-ancestors directive, the frame-ancestors policy is usually given preference by the browser.

  • SameSite Cookie Attribution

While SameSite cookie attribution is usually used to defend a site against cross-site request forgery (CSRF), it can also help fend off clickjacking. It prevents a cookie from being sent in case the request originated from a third party. For clickjacking, this means that even if the webpage was shown in an iframe and the victim did click on a button unintentionally, any cookie that should normally be sent with the request following the click will not be sent (for example, a session cookie).

Social Engineering

If users can avoid falling victim to social engineering, clickjacking attacks will be less successful. Following a handful of common-sense rules can help users keep safe from the social engineering tactics that hackers use to prey on them:

  • Don’t click on pop-ups, especially on sites you don’t use regularly. Many of them are malicious.
  • Pay attention to any browser warnings on the sites you visit. If you are warned not to proceed, don’t.
  • Don’t click a link in any email from an unfamiliar source. Before clicking a link that looks trustworthy, check for spelling errors and note whether it’s an HTTP or HTTPS link. Most trustworthy sites use HTTPS.
  • Text-based clickjacking is becoming more common. Do not click any links in a text from an unknown sender.

If employed by your organization, multi-factor authentication can help guard against social engineering. Keep in mind that this is mainly relevant to workforce users, since CIAM platforms cannot count on educating their customers to beware of social engineering.

Would-be attackers are relentless in their efforts to compromise your system across multiple attack vectors. To defend your organization and its users, you must be just as vigilant about improving your cybersecurity posture.

Types of Clickjacking Attacks

Clickjacking attacks are typically performed by arranging or manipulating the website’s visible interface in a way so that the victim isn’t aware of the attack. This deception can lure users into performing actions like downloading malware, transferring money to target accounts, exploiting auto-fill functionalities in password managers, or even accessing the victim’s computer.

Let’s dive in and explore some of the different types of clickjacking attacks.

Content overlays

One of the most common types of clickjacking attacks, overlaying malicious content on top of the existing page can be accomplished in a few different ways:

  • Invisible iframes: The attacker loads an invisible 1×1 iframe that prevents the user from seeing the content. The invisible iframe’s target element, such as a button on the website, is centered under the victim’s cursor making it easy to trick the user into clicking the malicious content.
  • Pointer events: A floating div tag is created that completely covers the target UI element. The attacker sets CSS pointer-events property to ‘none’ which makes clicks go through it, making them register on the iframe behind it.
  • Transparent overlays: The attacker overlays a transparent window on top of an element that the user will click on. The victim does not see the transparent window and believes they are clicking on the legitimate button or link element. But since the attacker’s transparent window is the top-most content on the page, the click is hijacked by the attacker.

Rapid content replacement 

In this attack, blurred overlays are created to cover target elements on the web page. The action is carried out almost instantly (milliseconds) right before the victim engages with the web page. This technique requires the attacker to predict the timing of the click with some accuracy. The overlay is visible only long enough to capture the click before it is concealed.

Phantom mouse cursors

Using floating div tags, an attacker can simulate an additional mouse cursor and set it to be a fixed distance from the victim’s real mouse pointer. The attacker will then position the page so that the deceptive cursor is more prominent and place an element that they want the victim to click on the page. The user will see a fake cursor that emulates their own mouse movements and be tricked into clicking on the malicious element before they realize what happened.

About Author


MegaIncomeStream is a global resource for Business Owners, Marketers, Bloggers, Investors, Personal Finance Experts, Entrepreneurs, Financial and Tax Pundits, available online. egaIncomeStream has attracted millions of visits since 2012 when it started publishing its resources online through their seasoned editorial team. The Megaincomestream is arguably a potential Pulitzer Prize-winning source of breaking news, videos, features, and information, as well as a highly engaged global community for updates and niche conversation. The platform has diverse visitors, ranging from, bloggers, webmasters, students and internet marketers to web designers, entrepreneur and search engine experts.