Explainer Series: What is Clickjacking?

Here we go, another online trap ready to ensnare unsuspecting – well, until now anyway – users. As if Phishing, Cryptojacking, credential stuffing and old school scamming wasn’t enough, folks really just can’t catch a break these days. Anyway, we’re here to chat about clickjacking, for those of you who aren’t 100% sure what to keep an eye out for…

So… what is it exactly?

Clickjacking is an attack – a pretty passive one, but nasty all the same – that takes advantage of a vulnerability found on web platforms running on major browsers, that allows bad actors – not like the ones you find in b-rated flicks, we mean hackers – to edit what a website looks like to the user in their browser, without changing the functionality. Basically, placing a fake site on top of a real one, so it works the same as the original, but folks are actually interacting with a completely different site.

Cybersecurity Live - Boston

Note: This is not a vulnerability based within the target applications but rather in software running on client machines (i.e. browsers).

Four of the most popular strategies for carrying out a clickjacking attack

  1. The malicious web page embeds a page from another domain to which the user is already authenticated. Since the malicious Web page is controlled by the bad actor, they can visually hide parts of the original application from the user, exposing only the specific control elements they want users to interact with such as buttons or form fields. As a result, the user is interacting with the covered Web page through “holes” in the graphical overlay generated by the attacker.
  2. Another example is when an attacker carries the clickjacking attack using a technique called iFrame overlay. The malicious web page includes code that generates fake UI and an IFrame covering only a part of the legitimate page, giving a feeling that this iFrame belongs to the main site. From there the visitor can be tricked into taking action on their behalf.
  3. By using Javascript instead of HTML only, the attack becomes sneakier to deploy since the original UI can be further manipulated in ways that are not possible when using only HTML. For example, the attacker can position the embedded web page in the browser window so that a specific button will always appear under the user’s cursor and force him to make the expected action.
  4. The clickjacking vulnerability in Adobe Flash Player has even further implications since attackers can gain access to attached hardware such as webcams and microphones.

What motivates a clickjacking attack?

  • Taking control of a computer or accessing peripheral hardware
  • Publish a post, a like or follow a page in a social network against a user’s knowledge
  • Downloading a malware

Although clickjacking attacks can overcome most CSRF protections, Imperva SecureSphere’s integrated CSRF protection is not. CSRF protection in SecureSphere is based on a dynamic profiling mechanism that allows SecureSphere to detect and block authenticated requests to internal resources from suspicious domains.

*** This is a Security Bloggers Network syndicated blog from Blog | Imperva authored by Gerhard Jacobs. Read the original post at:

API Poll

Step 1 of 5

Do you have an API security project in 2022?