Threats

What is clickjacking?

On the heels of an urgent warning being issued for hundreds of millions of Chrome, Edge, and Safari users, our ethical hackers have compiled a foundational guide for how to defend against clickjacking in 2025.

Firstly, What is Clickjacking?

As defined by OWASP, "Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page. Thefore, the threat actor is “hijacking” clicks meant for their page and instead routing them to another page, most likely owned by another application, domain, or both."

In short, clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause even Employee Awareness Trained-users to unknowingly download potentially devastating malware, visit malicious web pages, hand over credentials or sensitive information, transfer money, or even purchase fraudulent products online.

Typically, clickjacking is performed by displaying an invisible page or HTML element, inside an iframe, on top of the page the user sees. This ensures that the user believes they are clicking the visible page but are, in actuality, clicking an invisible element in the additional threat actor-transposed page that is on the layer on top of it.

This threat actor-deployed invisible page could be a malicious page, or a legitimate page the user did not intend to visit– for example, a page on the user’s banking site that authorizes the transfer of money.

What Are Variations of Clickjacking?

There are several common variations of clickjacking attacks. These include, but are not limited to:

• Likejacking: A technique in which the Facebook “Like” button is manipulated, causing users to “like” a page they actually did not intend to like.

• Cursorjacking: A UI redressing technique that changes the cursor for the position the user perceives to another position. Cursorjacking relies on vulnerabilities in Flash and the Firefox browser, which have now been fixed.

How to Flag Clickjacking (and Common Clickjacking Examples)

Any website that is open to being embedded in an iframe may be vulnerable to clickjacking attacks. This is why it’s critical for both website administrators and end users to be proactive in preventing them, particularly with the uptick of clickjacking (and related attacks) in 2024 and early 2025.

So how can your team trial your site’s vulnerability to clickjacking? One method is to code a specific page of HTML and use it to try to embed a sensitive page of your site in an iframe.

Most methods for protecting against clickjacking rely on the origin of the page— i.e., the fact that the domain of the malicious page is different from the domain of the legitimate page (e.g., dummy.com vs. legit.com). So when running this test page, it’s best not to run it under the same domain as the targeted page (e.g. legit.com).

Once you run the HTML, this should flag whether the tested page is vulnerable to clickjacking. With further testing, teams can determine whether any protections already in place on the page could be evaded by a clickjacking attack.

When testing, it is advised to keep in mind that threat actors may use several variations when designing a clickjacking attack. However, below is the most common attack flow:

• A Dummy Website is Created : A malicious "dummy" website is created, which includes an iframe containing the legitimate target website. Using styling, the iframe will be set to be invisible and positioned in a way that the invisible button in legit.com is located directly on top of a dummy button on dummy.com. This way, when the user clicks on the dummy button they see, they’re actually clicking on the invisible button.

• Targets Visit the Website: With their dummy web page in place, threat actors then generally leverage social engineering tactics, such as fraudulent emails, to entice intended victims.

• Targets Click on the Intended Offer: Once the attacker has tricked an intended target into visiting the dummy site, the target unknowingly performs the action the threat actor intended. When they do, the action the attacker intended, rather than what the victim intended to do, is then executed by the victim’s browser.

What is Clickjacking Used For?

What happens when a target performs the intended action?

Often, clickjacking attacks can do more than hijack cursor clicks. Commonly, they are utilized to capture sensitive information, steal money, and invade user privacy.

Other potentials include:

• Steal login credentials (which passwordless authentication can mitigate)

• Transfer money

• Make unapproved purchases

• Expose user location

• Activate a user's microphone or camera

• Download malware

• Capture more social media followers (likejacking)

• Steal browser cookies (cookiejacking)

• Access files on the user's hard drive (filejacking)

How to Prevent Clickjacking in 2025

Organizations can defend their website against clickjacking attacks via either client-side or server-side prevention.

1. Client-side Prevention

From the client side, there are three main methods of clickjacking prevention:

Intersection Observer API

While some teams may not have say over what browsers they are using for work, most modern browsers already support Intersection Observer API. This Javascript API allows detecting the visibility of target elements. It lets a webpage “know” if a specific component in the page, or the entire page, is visible to the user.

This knowledge can be used to identify whether the content of a web page is invisible to the user (even if contained within an iframe).

Browser add-ons: There are also a handful of browser add-ons designed to guard against clickjacking, including NoScript and NoClickjack. These add-ons are not compatible with every browser, but their availability is on the rise.

Frame Busting

Frame busting is the practice of using JavaScript to keep a web page from being loaded in a frame. It’s effective even in legacy browsers that don’t support newer methods such as the Intersection Observer API or the X-Frame-Options header and CSP mentioned below.

2. Server-side Prevention

Coming from the server side, there are several ways to guard against clickjacking. Where possible, it’s best to use more than one method to improve your defenses.

X-Frame-options header

This frame option can be added to HTTP as a response header. The HTTP response header is designed to allow the server to tell the client (web browser) if the specific page is allowed to be shown within an iframe. Most major browsers enforce this restriction. Once the website administrator establishes the X-Frame-Options of the site, the header will enforce one of the following framing policies as designated:

• SAMEORIGIN: only framing from the same website(s) is allowed

• DENY: all framing is forbidden

Frame-ancestors Directive

The frame-ancestors directive is designed to replace the X-Frame-Options header. As part of Content Security Policy (CSP), the frame-ancestors directive can either allow or disallow framed content from being embedded.

On pages that include both the X-Frame-Options header and frame-ancestors directive, the frame-ancestors policy is usually given preference by the browser.

SameSite Cookie Attribution

Samesite cookie attribution works to prevent a cookie from being sent in case the request originated from a third party.

In terms of clickjacking, this means that even if the webpage was shown in an iframe and the victim did click on a button unintentionally, any cookie that should normally be sent with the request following the click will not be sent (for example, a session cookie).

How to Incorporate Clickjacking Into Your Organization's Employee Awareness Training

How aware is your team of rising clickjacking threats?

During your next Employee Awareness Training, it is recommended to advise users of the following:

• Don’t click on pop-ups, especially on sites you don’t use regularly. Many of them are malicious.

• Pay attention to any browser warnings on the sites you visit. If you are warned not to proceed, don’t.

• Don’t click a link in any email from an unfamiliar source. Before clicking a link that looks trustworthy, check for spelling errors and note whether it’s an HTTP or HTTPS link. Most trustworthy sites use HTTPS.

• Text-based clickjacking is becoming more common. Do not click any links in a text from an unknown sender.

Conclusion

When it comes to fortifying your organization against mounting threats such as clickjacking and social engineering, proactive penetration testing has never been more critical.

As a CREST and SOC 2 Type II accredited penetration testing firm, Packetlabs’ best in class methodologies and 95% manual pentesting go well beyond industry standards. We offer several solutions that push the envelope on security–and guarantee full regulatory and cyber insurance compliance.

Recognizing the pressing requirements of companies in fortifying their security frameworks, our founder, Richard Rogerson, established Packetlabs over 12 years ago.

Richard is a valued member of the Chamber of Commerce’s Cyber.Right.Now cybersecurity council. As a part of this exclusive 22-person Council, Packetlabs, alongside members of brands such as Microsoft and Blackberry, communicates with government officials as a trusted voice to offer expert advice and shape policy.

To ensure regulatory compliance, assist with lower cyber insurance premiums, and bolster overall security posture, we serve all industries with the following specializations:

• Retail & Ecommerce

• Financial Services

• Government

• Technology and Software

• Hospital, Health, and Wellness

• Utilities & Energy

• Insurance and Legal Services

• Construction

• Education

• Automotive

• MSP