Clickjacking attack

Jijith Rajan
Published on
10 Sep 2023
8 min read

Clickjacking, also known as a “UI redress attack” or “UI redressing,” is a type of cyberattack where an attacker tricks a user into clicking on something different from what they perceive on a website or application.

In a clickjacking attack, the attacker overlays a deceptive element or transparent page on top of a legitimate webpage, making it appear as if the user is interacting with the expected content.

What is clickjacking?

Clickjacking attack is a technique by which an attacker attempts malicious methods to trick a user into clicking on a link.

This step by the user will potentially reveal confidential information about the user and could also take control of the victim’s computer while clicking on seemingly innocuous web pages.

Clickjacking is exploited using various techniques that deceive users into unknowingly interacting with hidden elements while believing they are interacting with visible content.

The following are common methods used to carry out clickjacking attacks:

1. Transparent overlays

Attackers create transparent elements or overlays on top of a legitimate webpage. These overlays are invisible to the user but can cover important elements like buttons or links.

When the user clicks on what they perceive as a visible element, they are actually clicking on the hidden overlay.

2. CSS opacity

By using CSS opacity, attackers can make hidden elements partially transparent, making them appear as part of the legitimate content.

Users interact with these elements, thinking they are part of the visible page.

3. iFrames

Attackers use invisible iFrames to load a legitimate webpage within their malicious page.

They then position the iFrame in a way that covers the targeted elements, making it difficult for users to see the deception.

4. Mouse offsets

By calculating mouse offsets, attackers can create an offset between the visible element and the actual element where the click is registered.

This technique ensures the click is performed on the hidden element rather than the perceived one.

5. CSS display property

Attackers can manipulate the CSS display property to hide or show elements dynamically.

They may initially hide an element and then make it visible when the user clicks on a specific area, tricking them into interacting with the hidden element.

6. Social engineering

Clickjacking attacks may also involve social engineering to lure users into interacting with the malicious content. For example, attackers may prompt users to “click here for a prize” or “confirm your age” to access certain content, exploiting curiosity or urgency.

Clickjacking attacks exploit the fact that web browsers allow elements from different websites to be layered on top of each other.

This enables attackers to create deceptive overlays and trick users into performing unintended actions.

These actions can include anything from unknowingly posting on social media, approving malicious transactions, downloading malware, granting unauthorized permissions, and more.

What is the impact of the clickjacking attack?

Clickjacking can have several significant impacts on both users and organizations.

The consequences of a successful clickjacking attack can vary depending on the attacker’s intentions and the actions performed by the user.

Here are some of the main impacts of clickjacking:

1. Unauthorized actions

Clickjacking allows attackers to trick users into unknowingly performing actions they didn’t intend to.

This could include making unauthorized purchases, sharing sensitive information, granting permissions to malicious applications, or interacting with hidden elements that compromise security.

2. Data theft

Clickjacking attacks can lead to the theft of sensitive user data.

For example, attackers can deceive users into clicking on hidden elements that trigger the download of malware or prompt the user to enter confidential information.

3. Financial losses

If clickjacking leads to unauthorized actions, users may suffer financial losses due to fraudulent purchases or transactions made without their knowledge or consent.

4. Reputation damage

Organizations hosting vulnerable websites can suffer reputation damage if their users’ become victims of clickjacking attacks.

This can lead to a loss of trust from customers and stakeholders.

5. Privacy violations

Clickjacking can result in privacy violations if users inadvertently share personal or confidential information on social media or other platforms.

6. Malware distribution

Clickjacking attacks can be used to distribute malware to users’ devices, potentially leading to further security breaches or system compromises.

7. Social engineering

Clickjacking attacks often involve social engineering tactics to deceive users. As a result, users may become more susceptible to future phishing or social engineering attempts.

Organizations may face legal consequences if they fail to protect their users from clickjacking attacks, especially if sensitive user data is compromised.

How do you prevent clickjacking attacks?

Conducting regular security audits to identify and address potential vulnerabilities is very crucial for mitigating the potential risk from Clickjacking.

User education and awareness about the risks of interacting with suspicious or unfamiliar content can help users recognize and avoid clickjacking attempts.

By taking proactive steps to protect against clickjacking, organizations can safeguard their users and maintain the integrity and trustworthiness of their web applications.

Preventing clickjacking requires implementing multiple layers of security measures to protect web applications and their users. Here are some effective preventive measures to defend against clickjacking attacks:

1. X-Frame-Options header

Set the X-Frame-Options HTTP header in the web server’s response. This header specifies whether a web page can be displayed in an iframe.

The “DENY” option prevents the page from being displayed in any iframe, while “SAMEORIGIN” restricts it to be displayed only on the same origin (same domain).

2. Content Security Policy (CSP)

Implement a strict Content Security Policy using the “frame-ancestors” directive to specify which domains are allowed to embed the website’s content in an iframe.

This helps prevent unauthorized framing of the website.

3. Frame-busting scripts

Include frame-busting JavaScript code in web pages.

This script detects if the page is loaded within an iframe and, if so, redirects the user to the top-level window, breaking out of the iframe and preventing clickjacking.

4. Use X-Content-Type-Options

Set the X-Content-Type-Options HTTP header with the value “nosniff” to prevent browsers from interpreting files as a different MIME type.

This helps prevent certain types of clickjacking attacks that rely on forcing browsers to interpret content differently.

5. Implement CSRF tokens

Use Cross-Site Request Forgery (CSRF) tokens in forms and actions to prevent attackers from forging user-initiated actions even if they manage to deceive users through clickjacking.

6. Frame-killing scripts

Deploy frame-killing scripts that check if the page is the top-level window, and if not, redirect to a safe location or deny rendering.

7. User education and awareness

Educate users about clickjacking risks and advise them not to click on suspicious or unfamiliar elements on websites.

Encourage users to verify the legitimacy of websites before entering sensitive information.

8. Security audits

Regularly conduct security audits and vulnerability assessments using a platform like Beagle Security to identify and address potential clickjacking vulnerabilities in web applications.

9. Multi-factor authentication (MFA)

Enforce MFA for sensitive actions or logins to add an extra layer of protection against unauthorized access in case of successful clickjacking attacks.

10. Keep software updated

Maintain the latest versions of web frameworks, libraries, and plugins to minimize the risk of known vulnerabilities being exploited for clickjacking attacks.

By combining these preventive measures, web developers and organizations can significantly reduce the risk of clickjacking attacks and protect their users from unwittingly falling victim to such deceptive exploits.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.