Clickjacking is a technique by which an attacker attempts malicious methods to trick a user into clicking on a link. This step by the user will potentially reveal confidential information about the user and could also take control of the victim’s computer while clicking on seemingly innocuous web pages. Attackers will use multiple clear or opaque layers of methods to trick a user into clicking on a button or link. This attack aims the user to click on the malicious page while making the victim feel like he is on the top level page. This attack will lead leakage of sensitive information.
If a site has this vulnerability, an attacker can load another page over it by hiding the original page. Thus, an attacker can trick the end users into performing actions on behalf of the user. There is no way to trace the actions to the attackers later. This issue is present because the users have validated himself through the hidden page. This mistake by the user will get the authentication credentials to the attacker.
The clickjacking attack can steal information about the end user. The information includes username, password and many more. This attack will lead to significant issues like data breach of end users.
Beagle recommends the following fixes:-
For Apache “Header always append X-Frame-Options SAMEORIGIN”
For Nginx “add_header x-frame-options “SAMEORIGIN” always;”