Trusted answers to developer questions
Trusted Answers to Developer Questions

Related Tags


What is a click-jacking attack?

Rukhshan Haroon

A click-jacking attack is a type of web-security vulnerability in which an invisible web page can be inserted into the background of a dummy display page visible to the user.

Such an attack intends to mislead the user and is typically employed to steal clicks or extract sensitive information.

Stealing sensitive data

As mentioned earlier, a click-jacking attack may be used to steal key-strokes or sensitive data.

To do so, the attacker inserts a dummy page in the background. The dummy page is visible to the user and may look identical to some other web page that the user considers trustworthy. The foreground is made up of an invisible, malicious web page that is actually operational.

In this way, the user is tricked into believing that they have safely landed on the dummy page, but in reality, they are unknowingly inputting information to the invisible page.

For example, an attacker could place an invisible form and login button over the homepage of Facebook to secretly collect the user’s email and password. The invisible form and button must be placed directly on top of the original placeholders and button to trick the user.

Click-jacking attack illustration.

Stealing clicks

To steal clicks, the attacker can place the dummy page in the background and the original page, for which they wish to steal clicks, in the foreground. The page in the foreground is invisible to the victim.

For example, the attacker could inject as iframe an entertaining video. On top of this dummy web page, they can place an invisible ad. Upon clicking the play button to play the video, the user would click on the advertisement, which is invisible to them.


To safeguard websites from click-jacking attacks, two major defense mechanisms are employed in commercial websites.

Frame Busting is a technique that ensures that the vulnerable web pages of a website can not be injected as an iframe in some other web page.

On the other hand, the HTTP X-Frame-Options header enables a website to white-list domains that add it as an iframe. Only domains listed in this list that are trusted and secure can add it as an inframe.




Rukhshan Haroon
Copyright ©2022 Educative, Inc. All rights reserved

View all Courses

Keep Exploring