Clickjacking

Clickjacking, also known as a UI redress attack, exploits the ability of web browsers to display content from multiple origins within a single page using iframes. The attacker creates a malicious page that loads the target application in an invisible iframe positioned over enticing visible content. When the victim clicks on what appears to be a harmless button, they are actually clicking on a button in the hidden iframe, triggering an action in the target application.

Clickjacking attacks can be used to perform a variety of malicious actions depending on the target application. These include changing privacy settings, enabling a webcam or microphone, transferring money, following social media accounts, liking or sharing content, and even downloading malware. The attack is particularly effective because the user is genuinely authenticated to the target application.

More sophisticated variants include cursorjacking (manipulating the cursor position), likejacking (targeting social media like buttons), and multi-step clickjacking where the attacker guides the victim through a sequence of clicks to complete a complex action.

Prevention requires both server-side and client-side measures. The X-Frame-Options header (with DENY or SAMEORIGIN values) and the frame-ancestors directive in Content Security Policy are the primary server-side defences. These headers instruct browsers to prevent the page from being loaded in iframes. Additional measures include using frame-busting JavaScript as a fallback and requiring user interaction patterns that are difficult to replicate through iframes.