Clickjacking is a malicious technique that consists of deceiving a web user into interacting (in most cases by clicking) with something different to what the user believes they are interacting with.



Once the victim is surfing on the fictitious web page, he thinks that he is interacting with the visible user interface, but effectively he is performing actions on the hidden page. Since the hidden page is an authentic page, the attacker can deceive users into performing actions which they never intended to perform through an "ad hoc" positioning of the elements in the web page.



How to Test


The first step to discover if a website is vulnerable, is to check if the target web page could be loaded into an iframe. To do this you need to create a simple web page that includes a frame containing the target web page. The HTML code to create this testing web page is displayed in the following snippet:


<html> <head> <title>Clickjack test page</title> </head> <body> <p>Website is vulnerable to clickjacking!</p>
<iframe src="" width="500" height="500"></iframe> </body> </html>




Another way to test the click jacking attack


/* iframe from Website is vulnerable to clickjacking */
  top:0; left:0;
  filter:alpha(opacity=50); /* in real life opacity=0 */
<iframe src="Website is vulnerable to clickjacking"></iframe>
<a href="Website is vulnerable to clickjacking" target="_blank" style="position:relative;left:20px;z-index:-1">CLICK ME!</a>