# clickjacking

## Clickjacking (UI redressing) <a href="#clickjacking-ui-redressing" id="clickjacking-ui-redressing"></a>

<figure><img src="/files/xpcG3CdIzpfAL4Q9cSJF" alt=""><figcaption><p>clickjacking</p></figcaption></figure>

| Content                                       |
| --------------------------------------------- |
| **📚 What Is Clickjacking (UI redressing) ?** |
| **⚔ Clickjacking Attack Example**             |
| **🔎 How To Find**                            |
| **🛠 Tools**                                  |
| **🛺 Clickjacking mitigation**                |
| **📕 Referance**                              |
| **🔬 Labs**                                   |

***

### 📚 What Is Clickjacking (UI redressing)? <a href="#what-is-clickjacking-ui-redressing" id="what-is-clickjacking-ui-redressing"></a>

Clickjacking is an attack that **tricks** a user into **clicking** a webpage element that is **invisible** or disguised as another element.

This can cause users to unwittingly **download malware**, **visit malicious web pages**, **provide credentials** or **sensitive information**, **transfer money**, or **purchase products online**.

**Clickjacking** is performed by **displaying an invisible page or HTML element**, inside an **iframe**, on **top of the page the user sees.**

The user believes they are clicking the visible page but in fact, they are clicking an invisible element in the additional page transposed on top of it.

![](https://i.imgur.com/lhcqA4M.png)

![](https://i.imgur.com/1YtoWdo.png)

**Clickjacking** attacks use **CSS** to create and manipulate layers.

The attacker incorporates the target website as an **iframe layer overlaid on the decoy website**. An example using the style tag and parameters is as follows:

Basic Payload

***

### ⚔ Clickjacking Attack Example <a href="#clickjacking-attack-example" id="clickjacking-attack-example"></a>

1. The **attacker creates an attractive page** that promises to give the user a free trip to Tahiti.
2. In the background, the attacker checks **if the user is logged into his banking site and if so**, loads the screen that enables transfer of funds, using query parameters to insert the attacker’s bank details into the form.
3. The bank **transfer page** is displayed in an invisible iframe above the free gift page, with the “Confirm Transfer” button exactly aligned over the “Receive Gift” button visible to the user.
4. The user visits the page and **clicks** the **“Book My Free Trip”** button.
5. **In reality,** the user is clicking on the invisible iframe and has clicked the **“Confirm Transfer”** button. Funds are transferred to the attacker.
6. The user is **redirected** to a page with information about the free gift (not knowing what happened in the background).

***

### 🔎 How To Find? <a href="#how-to-find" id="how-to-find"></a>

Find clickjacking vulnerabilities using Burp Suite’s web vulnerability scanner

There are many browsers extensions that inform you when the page is vulnerable to Clickjacking

A basic way to test if your site is vulnerable to clickjacking is to create an HTML page and attempt to include a sensitive page from your website in an iframe. It is important to execute the test code on another web server because this is the typical behavior in a clickjacking attack.

View the HTML page in a browser and evaluate the page as follows:

* If the text **“Website is vulnerable to clickjacking”** **appears** and **below it, you see the content of your sensitive page**, the page is **vulnerable** to clickjacking. ✅
* If only the text **“Website is vulnerable to clickjacking”** **appears**, and you **do not see the content of your sensitive page**, the page is **not vulnerable** to the simplest form of clickjacking. ❌

***

### 🛠 Tools <a href="#tools" id="tools"></a>

[**Burp Clickbandit**](https://portswigger.net/burp/documentation/desktop/tools/clickbandit)\
\
is a tool for generating clickjacking attacks. When you have found a web page that may be vulnerable to clickjacking, you can use Burp Clickbandit to create an attack and confirm that the vulnerability can be successfully exploited.

***

### ⚙ Clickjacking mitigation <a href="#clickjacking-mitigation" id="clickjacking-mitigation"></a>

There are **three main mechanisms** that can be used to defend against Clickjacking:

1. Preventing the browser from loading the page in the frame using the **X-Frame-Options** or **Content Security Policy (frame-ancestors)** HTTP headers.
2. Properly setting authentication cookies with **SameSite=Strict** (or **Lax**), unless they explicitly need None (which is rare).
3. Implementing JavaScript code in the page to attempt to prevent it from being loaded in a frame (known as a “**frame-buster**”).

***

1. **X-Frame-Options** header There are three values allowed:

   1. **DENY** – does not allow any domain to display this page within a frame
   2. **SAMEORIGIN** – allows the current page to be displayed in a frame on another page, but only within the current domain
   3. **ALLOW-FROM URI** – allows the current page to be displayed in a frame, but only in a specific URI – for example, [www.example.com/frame-page](http://www.example.com/frame-page)

2. **Content Security Policy (CSP)**

   Content Security Policy (CSP) is a detection and prevention mechanism that provides mitigation against attacks such as XSS and clickjacking. CSP is usually implemented in the web server as a return header of the form:

   The recommended clickjacking protection is to incorporate the frame-ancestors directive in the application’s Content Security Policy:

   1. The frame-ancestors ‘none’ directive is similar in behavior to the X-Frame-Options deny directive.
   2. The frame-ancestors ‘self’ directive is broadly equivalent to the X-Frame-Options sameorigin directive. The following CSP whitelists frames to the same domain only:
   3. Alternatively, framing can be restricted to named sites:

      Equivalent to the

***

### 📕 Reference <a href="#referance" id="referance"></a>

[**Portswigger**](https://portswigger.net/web-security/clickjacking)

[**OWASP**](https://owasp.org/www-community/attacks/Clickjacking)

[**Hacktricks**](https://book.hacktricks.xyz/pentesting-web/clickjacking)

[**Imperva**](https://www.imperva.com/learn/application-security/clickjacking/)

[**clickbandit**](https://portswigger.net/burp/documentation/desktop/tools/clickbandit)

***

### 🔬 Labs <a href="#labs" id="labs"></a>

[**portswigger**](https://portswigger.net/web-security/clickjacking)

[**OWASP Broken Web Applications Project**](https://sourceforge.net/projects/owaspbwa/) Install this Machine and will have a lot of Labs like **DVWA**, **BWAPP,** and **Webgoat,** etc

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xkourama.gitbook.io/blog/vulnerabilities-and-techniques/web-vulnerabilities/clickjacking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.