Clickjacking: An Easy Guide In 4 Points


Computers and Smartphones are very much part of our daily lives. From the alarms and alerts to daily shopping, smartphones are extensively used by the common man. This also has opened wide opportunities for cybercriminals. Cyber fraud has increased with every passing day. The criminals take advantage of the vulnerabilities existing in technology.

The invisible criminals lay the traps which will not be visible to the common man. The instance of fraud happens in a matter of a few seconds. Cybercriminals use the keystrokes and the frames of the instances opened by the common man to commit a crime. Clickjacking is the cybercrime committed when the common man clicks on a button, image, or a URL displayed on the website page.

  1. What is Clickjacking?
  2. Types of Clickjacking attacks
  3. Prevention
  4. Example

1. What is Clickjacking?

Let’s see how attackers are using the clickjacking definition to lay a trap for the user. When the user opens a webpage, a trap is laid out to the user in such a way that the user clicks on the button or URL unintentionally. The clickjacking meaning is taken from the word ‘click hijacking.’ Criminals use the clickjacking vulnerability to exploit the webpage.

The criminals lay out a transparent page over a trustworthy page of the website. When the user clicks on the visible button on the transparent page, the action triggers malicious action as set by cybercriminals. The action could be to increase the likes to a particular post or follow a particular social media page. Now we know how to define clickjacking, let’s take a look at the types of clickjacking attacks.

2. Types of Clickjacking attacks

Clickjacking is one type of cyberattack. It is a broad term that includes several techniques used to conduct cyber fraud. As it is conducted on the user interface displayed to the user, it is also termed as ‘UI redress attacks.’ Clickjacking is conducted in various ways as explained below.

A) By complete transparent display

In this clickjacking attack, a completely transparent trustworthy page is placed on the malicious content page. The malicious page is loaded on to an invisible frame and neatly positioned above the trustworthy web page. The user will be seeing the details displayed on the trustworthy page but the buttons visible for clicking are from the malicious page. When the user clicks on the buttons of the malicious page, the attacker succeeds in attacking. For example, using this technique in Adobe Flash plug-in settings the attackers tricked the users to give access to the PC’s camera and microphone.

B) By cropping

In this clickjacking attack, the attacker selects certain controls on a visible web page to trigger cyber fraud. During this attack, certain buttons are masked by invisible hyperlinks. A click of these buttons will trigger an action set by the cybercriminal. This action will be different from what the user would have expected. The clickjacking code is written by cybercriminals to trigger the actions.

C) Hidden Overlay

This was the very first clickjacking attack technique that caught the attention of cybersecurity. The cybercriminal creates a 1X1-pixel iframe and places it right below the cursor. The pixel iframe consists of malicious content and it escapes the eye of the user as it is hidden below the cursor. A clickjacking script is written to create the pixel iframe and for the display of the malicious content. A click on the cursor will lead to a malicious content page.

D) Click event dropping

The trustworthy webpage is visible in the foreground, and the malicious page is in the background. The CSS pointer-events property is used by the cybercriminal to take control over the clicks on the page. The CSS pointer-events property is set to none on the trustworthy webpage. Whenever there is a click event action by the user, the click events get transferred to the malicious page in the background.

3. Prevention

Clickjacking uses frames to target web pages. Clickjacking prevention can be done by not allowing criminals to frame on trustworthy web pages. The security approach is to set the HTTP security headers to mention the framing policy. Below are a few ways on how to prevent clickjacking?

A) Frame breaking or Frame busting

Initially, website developers had to design special frame code to ensure their pages are not framed by attackers. This was a simple technique of checking if the displayed page is the top page or not. If it is not, then it was set to the top page before continuing further. This option was easily bypassed by cybercriminals. Now modern elaborate modern solutions are designed for a cybersecurity purpose.

B) X-Frame Options

XFO has provided one of the best solutions used today to prevent clickjacking. XFO header is used to mention whether the web page can be embedded or fixed in HTML elements. The XFO header provides three options. 

  1. Block attempts to frame.
  2. Allow frames from pages from the same source.
  3. Allow frames from pages from mentioned sources.

The XFO HTTP response header for server response was included in Internet Explorer 8 by Microsoft. 

Several browsers including Safari and Chrome browsers do not support the option to allow webpages from sources.

C) Content-Security-Policy (CSP)

The webpage can decide which sources to embed with CSP property. The web developer can mention as many sources as required. The list can include host IP addresses. This provides flexibility to define sources during complex deployments. For basic protection, a web page has the option to use allow frames. They can set permission to allow frames from the same origin and to deny if they are not from the same origin. 

4. Example

Facebook experienced clickjacking. It is a clickjacking example of how attackers used a trick to get their message viral. The clickjacking attack was to ensure that the message was shared on the walls of the users who clicked on the malicious link. The process of clickjacking is as explained below. A user clicked on a suspicious post on his friend’s Facebook wall. On clicking the message, it led to a comic’s website. There was a message to confirm the age of the visitor. On confirmation, the user was redirected to the comic’s website. Now the post was published on the user’s Facebook wall as well.

On checking further, researchers found out that the XFO header was set appropriately on the page. The XFO header was aptly implemented on all major browsers. On investigating further, the flaw was found while accessing the webpage from android smartphones. The XFO header was not set while accessing from android smartphones.


With the advance of technology, Organizations and businesses are increasing their online presence. Smartphone-friendly users are using online apps to shop and pay daily. The security of the web pages is critical whichever mode users use to access applications. Clickjacking prevention is of prime importance to the organizations to gain customer confidence. The organizations are spending heavily on cybersecurity to ensure clickjack protection on their websites and applications. Clickjacking is not just about deceiving the user with a frame. It is exploiting user’s faith in the webpage. 

So, have you made up your mind to make a career in Cyber Security? Visit our Master Certificate in Cyber Security (Red Team) for further help. It is the first program in offensive technologies in India and allows learners to practice in a real-time simulated ecosystem, that will give you an edge in this competitive world.

Also Read

Related Articles

Please wait while your application is being created.
Request Callback