What Is Clickjacking?
Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.
Clickjacking is a web attack that tricks a user into clicking something different from what they think they are clicking. In a clickjacking scenario, the attacker hides, overlays, or disguises a real web element so the victim’s click triggers an unintended action, often while the user is already signed in to a trusted site.
If you are reviewing related browser risks, it also helps to understand what is csrf and what is phishing, since all three involve misleading user actions in different ways.
Clickjacking definition
Clickjacking is sometimes called UI redressing because the attacker manipulates what the user sees in the browser. Instead of directly breaking authentication or exploiting a server flaw, the attacker abuses the victim’s normal interaction with a page.
In simple terms, the victim thinks they are clicking a harmless button, but the click actually lands on a hidden control from another page.
How clickjacking works
A basic clickjacking attack usually follows a clear pattern.
1. The attacker creates a deceptive page
The attacker starts with a page that looks harmless or attractive to click. It might appear to be:
- A video player
- A prize claim page
- A quiz or game
- A download button
- A fake confirmation step
The visible content is designed to guide where the victim clicks.
2. A legitimate page is loaded invisibly or partly hidden
Behind or on top of the attacker-controlled content, the page loads a real page from another site, often inside an iframe. The attacker carefully positions that hidden element so a sensitive button sits exactly where the victim is likely to click.
For example, the victim may think they are clicking:
- Play
- Continue
- Accept
- Download
But the actual click lands on a control such as:
- Approve an application
- Change an account setting
- Enable camera or microphone access
- Submit a form
- Trigger a purchase or transfer
- Grant permissions to a third party
3. The victim performs the action while authenticated
Clickjacking works best when the victim is already logged in to the targeted site. Because the browser carries the user’s active session, the target application may treat the action as legitimate.
That is why clickjacking is often described as an attack on context and trust. The site may behave exactly as designed, but the user has been deceived about what they clicked.
4. The attacker benefits from the unintended action
The impact depends on what the hidden control does. A successful clickjacking attack could result in:
- Changed privacy or security settings
- Approved third-party app access
- Form submission
- Social actions on behalf of the user
- Permission grants
- Sensitive workflow approval
Common clickjacking techniques
Attackers can implement clickjacking in different ways, but common techniques include:
- Transparent or near-transparent frames
- Layered page elements with misleading buttons
- CSS positioning that aligns hidden controls under visible content
- Timed movement of elements just before the click
- Multi-step click flows that guide the victim through several actions
Modern browsers and application frameworks reduce some older attack paths, but the core idea remains the same: make the user click one thing while activating another.
Why clickjacking matters
Clickjacking usually is not about malware delivery or password theft. It is about making a legitimate user take an action they did not intend to take.
That matters because a single click can sometimes:
- Change account recovery settings
- Approve OAuth access
- Weaken privacy settings
- Accept permissions
- Confirm a sensitive action
- Help an attacker prepare for a later compromise
In other words, the application may trust the action because it came from a valid session, even though the user was manipulated.
How sites defend against clickjacking
The main defense is stopping sensitive pages from being embedded by other sites.
X-Frame-Options
The X-Frame-Options response header tells the browser whether a page can be displayed in a frame. This is one of the classic defenses against clickjacking.
Content Security Policy frame controls
A Content Security Policy using the frame-ancestors directive can define which origins are allowed to frame the page. This is a more flexible and modern framing control.
Re-authentication for sensitive changes
For high-risk actions, applications can require the user to re-enter credentials or confirm identity again. That adds friction that makes deceptive single-click approval harder.
Confirmation steps for important actions
Sensitive workflows can include clear confirmations, warning screens, or out-of-band approval steps before the change is finalized.
Secure UI design
Applications can reduce risk by carefully designing permission prompts, account changes, and approval flows so important actions are harder to trigger accidentally.
When you will encounter clickjacking
Clickjacking comes up most often in web application security and secure development work.
Application security testing
Penetration testers, bug bounty researchers, and AppSec teams often check whether important pages can be framed by other sites. If they can, the next question is whether a user could be tricked into performing an unintended action.
Sensitive account actions
Clickjacking matters most when a single click can change something important, such as:
- Updating account recovery settings
- Authorizing a third-party integration
- Enabling device permissions
- Making purchases or transfers
- Changing visibility or sharing settings
SaaS and browser-based platforms
Admin panels, collaboration tools, customer portals, and social platforms are all relevant because authenticated users routinely take actions through a browser interface.
Security header reviews
IT and security teams often encounter clickjacking during hardening reviews when checking whether applications use X-Frame-Options or Content-Security-Policy correctly.
How users and teams can reduce risk
Developers need to fix the root issue, but a few practical controls still help reduce exposure.
- Keep browsers updated
- Avoid clicking through suspicious pages or bait content
- Use strong account security with a password manager like 1Password so broader account misuse is harder after an approval mistake
- Maintain endpoint protection with tools like Malwarebytes in case a deceptive page is part of a larger malicious chain
These steps do not replace application-side protections, but they can help limit overall risk.
Bottom line
Clickjacking is a browser-based deception attack that causes users to click hidden or disguised controls on trusted sites. It does not need to steal a password if it can make a logged-in user approve the attacker’s next step instead.