Clickjacking Attack
Clickjacking (also known as UI redressing) is an attack that tricks users into clicking on something different from what they perceive. By overlaying a transparent iframe of a legitimate site over a malicious page, the attacker captures clicks intended for visible elements but actually directed at hidden controls — enabling unauthorized actions like changing account settings, liking content, enabling a webcam, or approving financial transactions.
How Clickjacking Attack Works
Clickjacking exploits the browser's ability to layer content using iframes and CSS. The attacker creates a page with an invisible iframe of the target site positioned so that the victim's clicks interact with the hidden site's buttons and links instead of the visible page elements.
Create a decoy page
The attacker builds an enticing webpage with a visible call-to-action — such as a 'Click to claim your prize' button, a game, or a video play button — designed to lure the victim into clicking a specific area.
Embed the target site in a hidden iframe
The legitimate target site (e.g., bank account settings, social media actions) is loaded in an iframe positioned over the decoy page with CSS opacity: 0 or opacity: 0.0001, making it completely invisible.
Align the hidden action with the visible bait
Using CSS positioning (top, left, z-index), the attacker precisely aligns a critical action button on the hidden site (e.g., 'Confirm transfer', 'Delete account') with the visible bait button on the decoy page.
Victim clicks the hidden element
When the victim clicks the visible button, they actually click the hidden iframe's action button. Since they're authenticated on the target site, the action executes with their credentials. The victim sees nothing unusual.
Real-World Examples
Facebook 'Likejacking' attacks
Attackers used clickjacking to trick Facebook users into 'Liking' pages without their knowledge. The attack spread virally as each 'Like' appeared on the victim's friends' feeds, driving traffic to scam sites. It affected millions of users.
Adobe Flash webcam hijacking
Researchers demonstrated a clickjacking attack on Adobe Flash's settings manager that could enable a user's webcam and microphone without their knowledge, by tricking them into clicking through hidden Flash permission dialogs.
Twitter worm via clickjacking
A clickjacking worm spread through Twitter by tricking users into clicking a hidden 'Tweet' button. Each victim unknowingly posted a link that propagated the attack further, creating a self-spreading chain.
Impact & Risk Assessment
Clickjacking can force users to perform any action they're authorized to do on the target site: changing passwords, making purchases, enabling device permissions, transferring funds, or deleting accounts. When combined with social engineering, clickjacking attacks achieve high success rates because users believe they're interacting with the visible (benign) content. Multi-click variants can walk users through entire workflows invisibly.
How to Detect Clickjacking Attack
Test web applications for iframe embeddability — if your site can be loaded in an iframe on a third-party domain, it's vulnerable. Monitor for X-Frame-Options or CSP frame-ancestors headers in HTTP responses. Use automated scanning tools to detect missing framing protections. Client-side frame-busting detection can identify if your page is being framed.
How to Prevent Clickjacking Attack
Set the X-Frame-Options header to DENY or SAMEORIGIN on all pages that perform sensitive actions. Implement Content-Security-Policy with frame-ancestors directive for granular control (e.g., frame-ancestors 'self'). Use the SameSite cookie attribute to prevent cookies from being sent when the page is framed cross-origin. Implement UI confirmation for sensitive actions (e.g., 're-enter password to confirm'). Deploy frame-busting JavaScript as a defense-in-depth measure, though HTTP headers are the primary protection.
Code Examples
<!-- Attacker's page with invisible iframe overlay -->
<style>
iframe {
position: absolute;
top: 0; left: 0;
width: 500px;
height: 400px;
opacity: 0.0001; /* Invisible but clickable */
z-index: 10;
}
.bait-button {
position: absolute;
top: 185px; left: 120px; /* Aligned with target's action button */
padding: 20px 40px;
font-size: 24px;
cursor: pointer;
}
</style>
<button class="bait-button">Click to win a prize!</button>
<iframe src="https://target-bank.com/settings/delete-account"></iframe>
# Nginx — prevent framing
add_header X-Frame-Options "DENY" always;
add_header Content-Security-Policy "frame-ancestors 'none'" always;
# Apache — prevent framing
Header always set X-Frame-Options "DENY"
Header always set Content-Security-Policy "frame-ancestors 'none'"
# Express.js
app.use((req, res, next) => {
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('Content-Security-Policy', "frame-ancestors 'none'");
next();
});
PowerWAF automatically blocks Clickjacking Attack at the edge.
Deploy in minutes. No code changes required. Free plan available.
Free plan spots are limited