What is Clickjacking | Attack Example | Testing | Mitigation

Clickjacking Attack

What is Clickjacking | Attack Example | Testing | Mitigation

What is a Clickjacking Attack?

Clickjacking is a security testing type attack that finds tricks to trick a user into clicking a webpage element that is not visible or disguised as a different element. This can cause users to unwittingly download any malware, can go to visit malicious web pages, provide sensitive information, transfer money, or purchase products online.

Mostly, clickjacking attacks are performed by an attacker on a page that is not a visible page or HTML element, inside the frame, on top of the page the user sees. The user trusts if they are clicking the visible page but in reality, they are clicking an invisible element in the additional page transposed on top of it.

The invisible web page which is in an iframe can be a malicious page or a legitimate page the main user did not intend to visit – for example, a page on the user’s banking web page that authorizes the transfer of money.

There are different variations which generally see in the clickjacking attack, such as:

  • Likejacking – A clickjacking technique in which the Facebook “Like” button or anywhere Like buttons can be manipulated by an attacker causing users to “like” a page they actually did not intend to like.
  • Cursorjacking – A UI redressing clickjacking technique that changes the cursor on mouse hover for the position the user perceives to different positions. It relies on security vulnerabilities in Flash and the Firefox browser, which have now been fixed.

Clickjacking Attack Example

  1. The hacker creates an attractive page that promises to give the user a free trip or other benefits.
  2. In the background the hacker verifies if the user is logged into his banking site and if so, loads the screen that enables the transfer of funds, using query parameters to insert the attacker’s bank details into the form on the user’s banking web page that authorize the transfer of money.
  3. The bank transfer page is shown as an invisible iframe above the free gift offer page, with the “Confirm Transfer” button aligned over the “Receive Gift” button visible to the user set by the attacker and user unknown about this.
  4. The user mostly visits the websites and generally clicks on the “Book My Free Trip” button.
  5. In the real situation, the user is clicking on the invisible iframe and has clicked the “Confirmed Transfer” button. Funds are transferred to the attacker.
  6. The user moves forward to a page where information shows about the free gift (not knowing what happened in the background).

Clickjacking Mitigation

This example explains that, in a clickjacking attack, the malicious action (on the bank website, in this case) can not be traced back to the hacker because the user performed it while being legitimately signed in to their personal account.

Clickjacking Mitigation

There are two common ways to defend against clickjacking:

Client-side methods – the most common way called Frame Busting. Client-side methods can be effective in some different ways, but they are not considered as best practices, because they can be easily bypassed.

Server-side methods – the most common way to defend is X-Frame-Options Server-side methods are proposed by software security testing experts as a more effective way to defend against clickjacking attacks.

Mitigating Clickjacking with X-Frame-Options Response Header

The X-Frame-Options in the clickjacking response header is passed as part of the HTTP response of any website, indicating whether or not a browser should be allowed to render a page inside a <FRAME> or <IFRAME> tag.

Below three values allowed for the X-Frame-Options header in clickjacking:

  • DENY – Does not allow any domain to show this page within a frame
  • SAMEORIGIN – Allows the current web page to be shown in a frame on any other web page but only within the current domain.
  • ALLOW-FROM URI – Allows the current page to be shown in a frame, but only in a specified URI.

Read Also:- Test-Driven Development (TDD) – Key Benefits

Using the SAMEORIGIN Option to Defend Against Clickjacking Attack

X-Frame-Options allows content publishers to prevent their self-content from being used in an invisible X frame by hackers for clickjacking.

The DENY option is the most secure and prevents any use of the current page in a frame. More commonly, SAMEORIGIN is used, as it does enable the use of X I-frames, but limits them to the current domain.

Limitations of X-Frame-Options

  • To enable the SAMEORIGIN option on any web page, the X-Frame-Options header needs to be returned as part of the HTTP response for each particular page (cannot be applied cross-site).
  • X-Frame-Options does not support a whitelist to allowed domains, so it doesn’t work with multi-domain websites that need to display framed content between them.
  • There is a limitation and Only one option can be used on a single page so, for example, it is not possible for the same page to be displayed as a frame both on the latest website and an external website.
  • The ALLOW-FROM option is not supported by all web browsers.
  • X-Frame-Options is a deprecated option in most browsers.

Clickjacking test – Is Your Site Vulnerable?

A very basic and common way to test if your website is vulnerable to clickjacking attacks is to create an HTML page and attempt to include a sensitive page from your website in an iframe. It is important to run the test code on any other web server because this is the typical behavior in a clickjacking attack.

Use code below the following, provided as part of the OWASP Testing Guide:



<title>Clickjack test page</title>



<p>Website is vulnerable to clickjacking!</p>

<iframe src=”http://www.yoursite.com/sensitive-page” width=”500″ height=”500″></iframe>



Look at the HTML page in a browser and evaluate the page as follows:

  • If the text “Website is vulnerable to clickjacking” appears on any web page and below it. You see the content of your sensitive page, the page is vulnerable to clickjacking.
  • If only the text “Website is vulnerable to clickjacking” appears on any web page, and you do not see the content of your sensitive page. The page is not vulnerable to the simplest form of clickjacking.

However, additional testing is required to see which anti-clickjacking methods are used on the web pages and whether. They can be bypassed by attackers to clickjacking.

Read Also:- Key Benefits of Automation Testing

How Imperva Helps Mitigate Clickjacking Attack

To find the point of clickjacking a site, the site will have to be compromised by WAF (Web Application Firewall) prevents. You need to make sure that your website resources are sending to the proper X-Frame-Options HTTP headers. Which would prevent some parts of your site from being framed on other pages or outside your domain.

Counted among the best software testing services provider company in India by Clutch and Good firms. We have an independent testing team who keeps on testing the product in all the faces of the software development life cycle.

Share this post