Clickjacking is an attack that uses a website’s user interface (UI) to trick the victim into clicking on something, usually by loading the malicious content in place of something legitimate. 

Clickjacking attacks are very popular because they can be done from anywhere in the world and don’t require any special software to execute. They also don’t need any special technical skills. Clickjacking exploits the fact that web browsers will follow a link or a button if they receive an instruction to do so, even without the user’s action.

According to owasp.org “Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page”

For example, imagine an attacker who builds a web site that has a button on it that says “click here for a free trip to Hawaii”. However, on top of that web page, the attacker has loaded an iframe with your bank account transfer page, and lined up exactly the “transfer” button directly on top of the “free trip” button. The victim tries to click on the “free trip” button but instead actually clicked on the invisible “transfer” button. In essence, the attacker has “hijacked” the user’s click, hence the name “Clickjacking”.

How to prevent clickjacking

X-Frame-Options : The X-Frame-Options response header is passed as part of the HTTP response of a web page, indicating whether or not a browser should be allowed to render a page inside a <FRAME> or <IFRAME> tag.

Following values allowed for the X-Frame-Options header:

DENY — Don’t allow any domain to display this page within a frame.

SAMEORIGIN — Allows the current page to be displayed in a frame on another page but within the current domain.

ALLOW-FROM URI — Allows the current page to be displayed in a frame but only in a specific URI.