What is Clickjacking?

Summary

Clickjacking is a cyberattack technique that tricks users into clicking on something different than what they perceive—often leading to unwanted actions like authorizing a transaction or changing settings. It matters because it can compromise user accounts, expose sensitive information, and bypass key security controls on your website.

What Is Clickjacking?

Clickjacking, also known as a “UI redress attack,” is a malicious technique where attackers trick users into clicking on something that appears harmless but actually performs a different action. By invisibly embedding a legitimate webpage element within a transparent frame, attackers manipulate a user’s clicks to hijack actions—without the user’s knowledge or consent.

How It Works

• Framing a Legitimate Site: The attacker creates a malicious webpage that loads a legitimate page (like a banking login or Facebook “Like” button) inside an invisible iframe.
• Visual Trickery: The attacker places fake buttons, links, or images on top of the invisible iframe, aligning them with real interactive elements.
• User Interaction: When users click on what they think is a harmless button (like ones saying “Play Video” or “Claim Reward”), they are actually clicking on the hidden content—potentially transferring money, changing security settings, or giving permissions.

Clickjacking works by invisibly layering legitimate content—like login forms or buttons—beneath fake UI elements, tricking users into unintentionally performing sensitive actions such as authorizing transactions, changing settings, or sharing credentials without realizing it, often by exploiting iframe-based overlays, visual misdirection, and poor implementation of security headers like X-Frame-Options or Content-Security-Policy.

Who’s at Risk

• Social media platforms: Users might unknowingly “like” or “share” malicious content.
• Online banking portals: Clicks could initiate unauthorized transactions.
• E-commerce sites: Users could unknowingly purchase or subscribe to products.
• Enterprise applications: Admins might unknowingly change critical security settings.
• Any site lacking proper client-side security headers or script control

Real-World Examples

• Facebook “Like” Fraud: Attackers embedded Like buttons inside transparent frames to artificially inflate likes for certain content.
• Crypto Wallet Drainers: Users clicked fake “Connect Wallet” buttons that approved real blockchain transactions in the background.
• Browser Game Lures: Gaming sites embedded hidden actions like file downloads or permission grants behind flashy “Play Now” buttons.

How to Detect or Prevent It

Prevention Techniques:

• Use the X-Frame-Options header: Prevents your content from being embedded in iframes on other domains.
• Set the Content-Security-Policy (CSP): frame-ancestors directive: A more flexible alternative to control who can embed your content.
• Implement client-side script monitoring: Catch unauthorized frame injection or DOM manipulation in real time.
• Educate users: Warn against clicking unknown links or pop-ups, especially from suspicious websites.

Detection Techniques:

• Monitor for iframe injection or unauthorized script behavior.
• Use visual integrity tools to detect overlapping or hidden elements.

How Feroot Helps

Feroot protects web applications against clickjacking and other client-side attacks by continuously monitoring DOM changes and script behavior in real time. With Feroot, security teams can detect and block unauthorized frames, shadow DOMs, or injected scripts that facilitate clickjacking—without relying solely on security headers.

FAQ