What are Clickjacking Attacks and How to Avoid Them?

What is clickjacking?

Have you ever visited a website, clicked on an element you wanted to open and instead opened a pesky ad? Well, then you have experienced a clickjacking attack. To be more specific, it is an attack that tricks the user into clicking a webpage element that is invisible or disguised as another element. Here’s an example:

 

In the above screenshot taken from a video streaming site, the yellow arrow signifies the actual link that needs to be clicked to open the video, while the red arrow shows an example of a clickjacking attack. It is so because if the WATCH VIDEO button is clicked, then it will take you on a ride of redirect loops to hundreds of different advertisements. It fools people into clicking it by making them think that they are going to open the desired video.

Another type of clickjacking attack is the “invisible” attack. It is performed by displaying an invisible page or HTML element inside a frame on top of the page the user sees. The user believes that they are clicking on the visible page, but in fact, they are clicking on the invisible page that is shown over it.

How do I avoid it?

For client-side clickjacking mitigation, the most common method is called Frame Busting. It is effective in most cases but could be bypassed by more advanced attacks. Since web framing attacks such as clickjacking use iframes, frame busting prevents sites from functioning when loaded inside a frame.