Clickjacking

A deceptive web attack where an attacker tricks a user into interacting with hidden or misrepresented elements instead of the visible ones.

Definition

Clickjacking (also called click hijacking or UI redressing) is a security exploit in which malicious actors overlay or disguise webpage elements so that when a user believes they are clicking a visible button, link, or control, they are actually activating an unintended action on a hidden interface. This often leverages transparent iframes or layered HTML/CSS elements to mislead users into triggering events like authorizing payments, enabling camera/microphone access, or submitting sensitive data without awareness. In essence, it hijacks the user’s input by making them unwittingly interact with concealed content that performs actions with significant consequences. Clickjacking remains a notable risk in web security, requiring developers to adopt protective measures against such interface-based deception.

Pros

• Helps security professionals understand user interface exploitation techniques in depth.
• Highlights weak points in browser and application design for improved defensive strategies.
• Can inform development of protective headers like X-Frame-Options and CSP frame-ancestors.

Cons

• Can lead to unintentional financial transactions or unauthorized purchases.
• May expose sensitive information like credentials or personal data to attackers.
• Allows attackers to enable device permissions (e.g., webcam) without user consent.
• Easy to execute with basic HTML/CSS and iframe manipulation.

Use Cases

• Cybercriminals trick a user into liking or sharing content on social platforms (likejacking).
• Attackers overlay payment buttons to initiate unauthorized transactions.
• Malicious pages spur users to unknowingly grant access to their webcams or microphones.
• Deceptive links cause installation of malware or redirection to harmful sites.
• Security assessments simulate clickjacking to test UI defenses in web applications.