IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [clickjacking]

Clickjacking is an attack where the attacker overlays their own UI over a web page, "hijacking" the clicks that the victim makes on the page.

Clickjacking, also called a "UI redress attack", is an attack where the attacker hijacks the clicks that a user makes.

The attacker loads their own page in a transparant layer over the actual page. The clicks that are meant for the actual page are then redirected - they are hijacked. Thus, it is possible for a user to be genuinely authenticated on the actual page, but the attacker can intercept the actions that the user makes on the actual page and redirect them as he desires.

As a concrete example, it was possible to make people "like" something on Facebook without them knowing it using this attack. This was called "likejacking" (Facebook has since addressed the issue).

Sources and further reading:
OWASP page on Clickjacking
Wikipedia page on Clickjacking

54 questions
37
votes
2 answers

Is Clickjacking a real security vulnerability?

As I understand it, this is how an attacker would exploit clickjacking: Create a new website malicioussite.com which includes my site in a frame, but overlays malicious input fields or buttons over the HTML elements of my site. Send out phishing…
Nathan
  • 473
  • 1
  • 4
  • 7
5
votes
1 answer

How to "deliver" a clickjacking attack?

How can a hacker deliver a clickjacking attack? Does the hacker need to manipulate a "good.com" website and change its original code? Does the hacker create an "evil.com" website and just put a transparent layer with malicious code over the…
Bob
  • 528
  • 1
  • 3
  • 14
4
votes
4 answers

how can this prove a clickjacking vulnerability?

How does just putting a site link in an iframe (and when opens in iframe) indicate that the site is vulnerable to a click jacking attack? I have also read that if the site is a forum base, then the vulnerability could be critical. Why? please…
user80851
  • 41
  • 1
  • 2
4
votes
1 answer

How to steal source code through clickjacking?

Is it possible to steal the source code through clickjacking, so that attacker can also steal the CSRF tokens? This is a demo attack website:

DRAG…

Utkarsh Agrawal
  • 79
  • 7
1
vote
1 answer

If the site is not loaded in the frame, is the site vulnerable to click jacking.

Came across this question in SE How does this test prove my application is vulnerable to clickjacking attacks? I have a follow-up question and doubt, please help me to clear it. As per…
Rndp13
  • 111
  • 3
0
votes
1 answer

Clickjacking vs. deceiving embedded within malicious anchor (URL)

I've learned about Clickjacking. If I got it right, it boils down to tricking user into heading to the [malicious] link, which he/she never intended to do, but was tricked into doing so, due to the deceiving visual appearance of the HTML element…
Giorgi Tsiklauri
  • 101
  • 1