What is Clickjacking | Clickjacking Attack & Mitigation | Devstringx

Back to Blog
What is Clickjacking

What is Clickjacking | Clickjacking Attack & Mitigation | Devstringx

What is a Clickjacking Attack?

Clickjacking is a security testing type attack that finds tricks to trick a user into clicking a webpage element that is not visible or disguised as a different element. This can cause users to unwittingly download any malware, can go to visit malicious web pages, provide sensitive information, transfer money, or purchase products online.

  • Likejacking — A clickjacking technique in which the Facebook “Like” button or anywhere Like buttons can be manipulated by an attacker causing users to “like” a page they actually did not intend to like.
  • Cursorjacking — A UI redressing clickjacking technique that changes the cursor on mouse hover for the position the user perceives as different positions. It relies on security vulnerabilities in Flash and the Firefox browser, which have now been fixed.

Clickjacking Attack Example

  1. The hacker creates an attractive page that promises to give the user a free trip or other benefits.
  2. In the background the hacker verifies if the user is logged into his banking site and if so, loads the screen that enables the transfer of funds, using query parameters to insert the attacker’s bank details into the form on the user’s banking web page that authorize the transfer of money.
  3. The bank transfer page is shown as an invisible iframe above the free gift offer page, with the “Confirm Transfer” button aligned over the “Receive Gift” button visible to the user set by the attacker and user unknown about this.
  4. The user mostly visits the websites and generally clicks on the “Book My Free Trip” button.
  5. In the real situation, the user is clicking on the invisible iframe and has clicked the “Confirmed Transfer” button. Funds are transferred to the attacker.
  6. The user moves forward to a page where information shows about the free gift (not knowing what happened in the background).Clickjacking Attack example on Victim

Clickjacking Mitigation

There are two common ways to defend against clickjacking:

Read Also:- What Is a CSRF Attack and How to Prevent It

Mitigating Clickjacking with X-Frame-Options Response Header

The X-Frame-Options in the clickjacking response header are passed as part of the HTTP response of any website, indicating whether or not a browser should be allowed to render a page inside a <FRAME> or <IFRAME> tag.

  • SAMEORIGIN — This allows the current web page to be shown in a frame on any other web page but only within the current domain.
  • ALLOW-FROM URI — This allows the current page to be shown in a frame, but only in a specified URI.
Using the SAMEORIGIN Option to Defend Against Clickjacking Attack

X-Frame-Options allows content publishers to prevent their self-content from being used in an invisible X frame by hackers for clickjacking.

  • To enable the SAMEORIGIN option on any web page, the X-Frame-Options header needs to be returned as part of the HTTP response for each particular page (cannot be applied cross-site).
  • X-Frame-Options does not support a whitelist to allowed domains. So if it doesn’t work with multi-domain websites that need to display framed content between them.
  • There is a limitation and Only one option can be used on a single page so, for example, it is not possible for the same page to be displayed as a frame both on the latest website and an external website.
  • The ALLOW-FROM option is not supported by all web browsers.
  • X-Frame-Options is a deprecated option in most browsers.

Clickjacking Test – Is Your Site Vulnerable?

A very basic and common way to test if your website is vulnerable to clickjacking attacks is to create an HTML page. Then attempt to include a sensitive page from your website in an iframe. It is important to run the test code on any other web server. It’s important because this is the typical behavior in a clickjacking attack.



<title>Clickjack test page</title>



<p>Website is vulnerable to clickjacking!</p>

<iframe src=”http://www.yoursite.com/sensitive-page" width=”500″ height=”500″></iframe>


  • If only the text “Website is vulnerable to clickjacking” appears on any web page. You do not see the content of your sensitive page. The page is not vulnerable to the simplest form of clickjacking.

Read Also:- how to use brute force attack?

How Imperva Helps Mitigate Clickjacking Attack?

To find the point of clickjacking a site, the site will have to be compromised by WAF (Web Application Firewall) prevents. You need to make sure that your website resources are sent to the proper X-Frame-Options HTTP headers. Which would prevent some parts of your site from being framed on other pages or outside your domain.

Share this post

Back to Blog

Hire A Resource