Clickjacking

Clickjacking is another form of attack to lure user to do unintended action, like being lured into a new site or advertisement. It requires user to perform ordinary actions like clicking a button or a link but a click mechanism masks it, altering the user interface intention.

Description

Clickjacking makes use if invisible <iframe> to place under the commonly clicking user interface object, like button or link. When the user clicks on the UI thinking it was the intended action, he/she clicked the iframe instead, without awareness. Hence, the action got lured into the unintended iframe instead.

Potential Attacking Model

I/O Manipulation

Clickjacking allows approval for I/O usage in a browser. This happens for Flash plugin sites, like granting camera and microphone usage.

Unintended Data Harvesting

Happens commonly for social media hijacking or propagation, such as increasing like count for group / page / post in Facebook or Twitter.

Best Practices

1. EMPLOY UI DEFENSIVE CODES. This set the current frame as top of windows, putting hijacker's iframe to the lowest.
2. COMPLY TO PREVENTION GUIDELINES. Available at OWASP: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet