Clickjacking (UI Redressing)

Clickjacking occurs when an attacker uses transparent or opaque layers (iframes) to trick a user into clicking on a button or link on another page when they intended to click on the top level page.

Attack Simulation

Hidden Overlay Demo

Attacker's Transparency Control

(Slide to reveal the hidden iframe)

Win a PS5!

Click below to claim instantly!

CLAIM PRIZE

account.settings.com

Delete Account?

This action cannot be undone.

Click the "CLAIM PRIZE" button above...

Interactive: Click "CLAIM PRIZE" to see what happens. Use the slider to reveal the invisible "Delete Account" button hiding underneath.

The Concept

The LureThe attacker creates a page with an attractive button ("Win $500", "Play Video") to entice a click.
The TrapThey load a target website (e.g., banking settings, Facebook 'Like') in an invisible `iframe` positioned directly under the user's cursor.
The HijackWhen the user clicks, the browser registers the click on the invisible iframe, performing the action on the target site.

Prevention & Defense

X-Frame-Options HeaderServers can send `X-Frame-Options: DENY` or `SAMEORIGIN` to tell browsers "Do not allow my site to be loaded inside an iframe."

Content Security Policy (CSP)The `frame-ancestors` directive allows finer control over which domains are allowed to embed the site.

SameSite CookiesPrevents the iframe from being logged in (receiving session cookies) if it's cross-origin, effectively breaking the attack.