Clickjacking tricks a user into performing a particular action on a target website where they assume that they are clicking on one element, but instead, they would be clicking a webpage element that is invisible or disguised as another element. It can adversely affect the user’s system by downloading unwanted malware, redirecting to malicious websites, falling victims while sharing sensitive information, transferring money, or purchasing a product through e-commerce sites. There are two types of clickjacking attacks; likejacking, and cursorjacking where likejacking is used to manipulate the Facebook “Like” button, and cursorjacking is part of User Interface (UI) redressing, where it changes the position of the cursor from one point to the other.
The HTML frames or in particular the iframes can display a web page with another web page through frames. This functionality allows attackers to put an invisible layer beneath the cloned webpages that look familiar to the user, developed with malicious codes using JavaScript and UI elements. And so, when a user clicks on some elements in the cloned page, the elements that are hidden beneath them get the request and the attackers' scripts run instead. The frame makes sure that the execution of the malicious codes is not made obvious to the user who is using the website with known elements. A similar method is used in keystroke hijacking, where a user can be duped into thinking they are entering the password to their email or bank account when they are actually typing into an invisible frame that is under the attacker’s control using a skillfully constructed combination of stylesheets, iframes, and text boxes.
Although it is a simple method to attack, Clickjacking can launch a range of other attacks, starting from activities such as installing malware or stealing credentials, to less harmful ones, including improving click statistics on unrelated websites, increasing ad profits on websites, getting Facebook likes, or raising YouTube video views. Clickjacking can also be an initial step of an advanced persistent threat (APT), which is extremely harmful to organizations and institutions that must safeguard intellectual property or private and sensitive data.
An effective representation of a clickjacking attack would be when an attacker replicates a banking site with iframes enabled to redirect the get request sent through the invisible elements present in the site. As the user clicks, the worst that could happen in a banking scenario is user funds being transferred to the attacker’s account. The attackers impersonate each element in such a way that the users are redirected to frames that display the successful completion of the user action. Such as in a case where a clickjacking attack targeted the settings page for the Adobe Flash plugin where the attackers tricked the user into changing Flash’s security settings, allowing Flash animations to utilize computer resources such as microphone and camera by loading the flash website into an invisible iframe.
Clickjacking attacks can be avoided through client-side, frame busting method, disabling JavaScript, or server-side X-frame-options; HTTP header which is considered more effective. The X-frame-Options enable the owner to publish their content without having an attacker use it to insert an invisible frame by setting DENY to deny the use of the frame, or SAMEORIGIN or ALLOW-FROM values to use the frames. Other than that, Content Security Policy (CSP) should be used to disallow all frame use or specify where it is allowed, similar to X-Frame-Options as frame-ancestors ‘none’, self and example.com. The iframe vulnerability can be detected through a manual process of creating a site including iframe commands to check whether or not the original site is vulnerable to clickjacking. Moreover, authentication cookies should be properly set with SameSite=Strict (or Lax), unless they explicitly require None, and defensive UI code should be used to make the current frame the top-level window. As an application vulnerability, using the Web Application Firewall (WAF) would be an effective way to filter traffic coming and going from the application.
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
https://www.imperva.com/learn/application-security/clickjacking/