# Clickjacking

## What is it?

Clickjacking (also known as a "UI redress attack") involves tricking a user into clicking something different from what the user perceives, potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. This is achieved by manipulating the visibility and position of page elements.

**A simple example**

A malicious website embeds a transparent iframe of a legitimate website where a valuable action resides (like a "delete all" button). The attacker overlays the iframe with seemingly harmless UI - for example, a button that says "Click here to win a prize!". When a user clicks on this button, they unknowingly perform the action on the legitimate website.

Clickjacking can lead to: 

* Unwanted actions performed by the user 
* Disclosure of sensitive information 
* Potential Remote Code Execution (RCE) if combined with other vulnerabilities

**Other learning resources:** 

* OWASP: <https://owasp.org/www-community/attacks/Clickjacking&#x20>;
* PortSwigger: <https://portswigger.net/web-security/clickjacking>

## Checklist

* [ ] Does the application implement X-Frame-Options header or equivalent protection (e.g., Content Security Policy)?&#x20;
* [ ] Can you overlay malicious UI over the application's interface?&#x20;
* [ ] Can you perform sensitive actions on behalf of the user?&#x20;
* [ ] Can you trick the user into interacting with the overlaid UI?
* [ ] Does the application prevent being loaded in an iframe?&#x20;
* [ ] Can you manipulate the opacity an

```
# Embed the target page in an iframe
<iframe src="http://target-site.com" style="opacity:0.1; position:relative; top:50px; left:50px;"></iframe>

# Overlay with malicious UI
<button style="position:relative; top:-50px; left:-50px;">Click me</button>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/clickjacking.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.