top of page
  • Writer's pictureNexix Security Labs

Clickjacking Attacks and How to Prevent Them


Clickjacking is a technique that deceives consumers into believing they are clicking on one thing while they are clicking on something else. The term "User Interface (UI) redressing" is a better description of what's going on. Users believe they are using the conventional UI of a web page, but in reality, a concealed UI is in charge; in other words, the UI has been redressed. The hidden UI performs a different action when consumers click something they believe is safe.

The attack is enabled thanks to HTML frames(iframes), which allow online sites to be shown within other web pages. An attacker can cover the original web page with a hidden, transparent layer with its own JavaScript and UI features if a web page enables itself to be displayed within a frame. The attacker then dupes people into visiting the infected page, which appears to be a legitimate website. There is no evidence that the original site has a hidden UI placed on top of it. Users expect the original site to do a specific action when they click a link or a button, but the attacker's script executes instead. However, the attacker's script can also do the desired action, making it appear as though nothing went wrong.

Clickjacking isn't the attack's end goal; it's just a way to get people to think they're doing something safe while they're actually doing something dangerous. The real attack can be anything that can be done through web pages. This can include criminal behaviors such as installing malware or stealing credentials, as well as more benign activities like increasing click counts on unrelated sites, increasing ad revenue on sites, increasing Facebook likes or increasing YouTube video views.

Types of Clickjacking Attacks

The attack may take on several names depending on the nature of the operation. Take a look at the following variations:

Clickjacking_desc Img

  • Likejacking: It is a type of attack that captures user clicks and redirects them to "likes" on a Facebook page or other social media network.

  • Cookiejacking: In this situation, the user is persuaded to interact with a user interface element, such as drag and drop, and provide the attacker with cookies stored on their browser. As a result, the attacker may be able to operate on behalf of the user on the target website.

  • Filejacking: In this form of attack, the user gives the attacker access to their local file system and allows the attacker to grab files.

  • Cursorjacking: This technique moves the cursor from where the user sees it to a different location. In this approach, the user feels they are performing one activity while actually performing another.

  • Password manager attacks: These attacks try to trick password managers into letting them use their auto-fill features.

Defenses against Cyberjacking

There are no foolproof clickjacking defenses. However, there are steps you may take to lower your risk. Disabling JavaScript on the client side is effective, but because so many websites rely on it, turning it off makes many sites unplayable. Some commercial products can give protection while attempting to avoid interfering with the actual use of iframes. This is useful within an organization because the items can be distributed to employee PCs, but it does little to safeguard customers who visit the company's websites.

What are X-Frame-Options?

The X-Frame-Options HTTP header is another possibility. It allows an application to declare whether frame use is merely banned, as indicated by the DENY value, or whether frame use is permitted, as shown by the SAMEORIGIN and ALLOW-FROM values. This header option is supported by most current browsers, although it may not be supported by others.

X-Frame-Options that could be used:

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM

What is Content Security Policy(CSP)?

Content Security Policy (CSP) and its frame-ancestors directives are the final and more current alternative for clickjacking defense. Similar to X-Frame-Options, this directive allows the application developer to ban all frame use or designate where it is allowed. CSP isn't supported by all browsers, and browser plugins and add-ons may be able to get around it. Browsers should favor CSP's directives if both the X-Frame-Options header and CSP frame-ancestors are utilized, but not all will.

CSP frame-ancestor options include:

Content-Security-Policy: frame-ancestors 'none' Content-Security-Policy: frame-ancestors 'self' Content-Security-Policy: frame-ancestors ''

Defense-in-depth is an excellent practice because none of these defenses are flawless, and there's nothing wrong with implementing all three on your website.

For more information visit us on:

To schedule an audit you can contact us at:

Your Security | Our Concern


Recent Posts

See All


bottom of page