Clickjacking

Clickjacking (also known as UI redressing) is an attack where a malicious page embeds a target website in a transparent iframe and positions it so that user clicks intended for the malicious page are actually performed on the hidden target site. This can trick users into performing actions like changing settings, making purchases, or granting permissions without their knowledge.

The attack works by layering an invisible iframe over a decoy page. When the user clicks what they think is a button on the visible page, they're actually clicking a button on the hidden target site where they're already authenticated.

Defenses include the X-Frame-Options header (DENY or SAMEORIGIN), Content-Security-Policy frame-ancestors directive (the modern replacement), and JavaScript frame-busting code (less reliable). The CSP frame-ancestors directive is the recommended approach as it offers more granular control than X-Frame-Options.

How APVISO tests for this: APVISO's scanner agent checks for missing or misconfigured X-Frame-Options and CSP frame-ancestors headers. It verifies that sensitive pages (login, settings, payment) are properly protected against framing by external sites.