What is Clickjacking?

Clickjacking is an attack that tricks a user into clicking a webpage element that is invisible or disguised as another element. Users think they are clicking on a legitimate element but in reality, they are clicking on something potentially dangerous. Clickjacking is done by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

Clickjacking attack example

  1. The attacker creates an attractive page which promises to give the user a free trip to Tahiti.
  2. In the background the attacker checks if the user is logged into his banking site and if so, loads the screen that enables transfer of funds, using query parameters to insert the attacker’s bank details into the form.
  3. The bank transfer page is displayed in an invisible iframe above the free gift page, with the “Confirm Transfer” button exactly aligned over the “Receive Gift” button visible to the user.
  4. The user visits the page and clicks the “Book My Free Trip” button.
  5. In reality the user is clicking on the invisible iframe, and has clicked the “Confirm Transfer” button. Funds are transferred to the attacker.
  6. The user is redirected to a page with information about the free gift (not knowing what happened in the background).

Other resources: https://en.wikipedia.org/wiki/Clickjacking

Jacob Billings
I am a software engineer and a linguist. I hold a bachelors degree in Middle Eastern Studies from the University of Utah, a Master’s degree in linguistics from Francisco Marroquín University in Guatemala City and working on a double doctorate degree in Archaeology and Mathematics.

Software Development: I bring over 17 years of experience in developing software for multiple clients in various environments. I have a solid knowledge of PHP, Javascript, MySQL, Python, and Java.

Over my career, I have had the opportunity to work on projects for some of the most recognized brands on the planet. Brands like Marriott Hotels, Microsoft, Ashland Chemical, Capital One Credit Cards, Cadbury Schweppes, GE and more. This has given me an in-depth understanding of my client's challenges as they grow. I know how to get a company from startup to maturity with technology. My specialties are in E-commerce(specifically Magento), process automation, and security.