clickjacking attack is used to trick the user into clicking on another website (say website http://target.com) while the user is browsing website http://malicious-website.com. Typically this attack is performed by hiding the target website's UI and arranging the visible UI so that the user isn't aware of clicking on the target website.
- The attacker will include the target webiste as an inframe layer on the malicious-website.
- The iframe will be positioned in such a way that there is a precise overlap of iframe and action on malicious-website.
- The opacity value is set to 0.0 so that iframe content is not visible to user.
How to prevent clickjacking attack
- X-Frame-Options : The X-Frame-Options HTTP response header can be used to indicate if a browser should be allowed to render a page in a frame , iframe , embed or object.
- Content Security Policy (CSP) : clickjacking protection can be achieved by incorporating the frame-ancestors directive in the application's Content Security Policy.
Read more