Security Guide
Understanding the invisible threat that compromises user security
Clickjacking (also known as UI redressing) is a malicious technique where attackers trick users into clicking on hidden or disguised elements on a website. The term combines "click" and "hijacking" — literally meaning the hijacking of user clicks.
In a clickjacking attack, the attacker embeds a legitimate website in an invisible iframe on their malicious site. They overlay this hidden iframe with deceptive content that entices users to click. When users think they are clicking on visible elements, they are actually interacting with the hidden website.
Clickjacking attacks exploit the trust users have in legitimate websites. Victims believe they are interacting with a familiar service, when in reality they are being manipulated by attackers. This can lead to financial loss, identity theft, and complete account compromise.
The attacker sets up a website that appears legitimate — offering free downloads, games, or other enticing content. This site serves as the foundation for the attack.
Using HTML iframes, the attacker loads the target website invisibly on their page. The iframe is styled with CSS to be completely transparent.
<iframe src="https://bank.com" style="opacity:0; position:absolute;"></iframe>The attacker positions visible elements (buttons, links, images) precisely over sensitive areas of the hidden website. These overlays are designed to look legitimate.
When users click on what they believe are legitimate buttons, they are actually clicking on hidden elements in the iframe — triggering unintended actions.
The traditional method using invisible iframes to trick users into clicking hidden elements. Relies on precise positioning and transparency.
Target: Banking sites, payment forms, admin panels
A specialized form focused on social media platforms. Attackers trick users into 'liking' pages or sharing content without consent.
Target: Facebook, Twitter, Instagram, social platforms
Advanced technique manipulating cursor position, making users believe they are clicking in one location when clicking elsewhere.
Target: Any website with sensitive clickable elements
Attackers trick users into downloading malicious files by overlaying download buttons over legitimate file links.
Target: File sharing sites, software download pages
Attackers create fake 'Get Rich Quick' websites promising investment opportunities. When users click 'Invest Now,' they are actually clicking on their bank's transfer button.
Impact: Direct financial loss, often thousands of dollars
Malicious browser extensions or websites overlay 'Enable Premium Features' buttons over social media security settings.
Impact: Account compromise, privacy invasion, spam distribution
Shopping sites are targeted where attackers overlay 'Claim Your Prize' buttons over checkout buttons.
Impact: Unauthorized purchases, subscription fraud
Attackers use various CSS properties to hide and position iframes:
.hidden-iframe {
position: absolute;
top: -100px;
left: -100px;
width: 300px;
height: 200px;
opacity: 0;
z-index: -1;
}
.overlay-button {
position: absolute;
top: 50px;
left: 50px;
z-index: 100;
}Advanced attacks use JavaScript to dynamically adjust positioning:
document.addEventListener('mousemove', (e) => {
const iframe = document.getElementById('target-iframe');
const button = document.getElementById('overlay-button');
// Position overlay button over sensitive iframe element
button.style.left = (e.clientX - 50) + 'px';
button.style.top = (e.clientY - 25) + 'px';
});Use our free scanner to check if your website is vulnerable to clickjacking attacks.