Skip to main content

Clickjacking Attacks

Frames / Windows: Clickjacking Attacks

Can you explain what Clickjacking is?

View Answer:
Interview Response: Clickjacking is a malicious technique where a user is tricked into clicking on hidden elements, often leading to unintended actions, like sharing sensitive information or downloading malware.

How does Clickjacking work?

View Answer:
Interview Response: Clickjacking works by overlaying invisible, interactive elements over benign webpage content. Users believe they're clicking on visible elements, while actually interacting with the unseen layer, unknowingly performing unwanted actions.

Code Example:

Here's a simplified code example to demonstrate a clickjacking attack:

<!-- Malicious Page: attacker.html -->
#invisibleButton {
position: absolute;
opacity: 0;
width: 200px;
height: 100px;
z-index: 9999;
/* other styles to make it visually hidden */
<h1>Click This Button!</h1>
<iframe src="" width="800" height="400"></iframe>
<button id="invisibleButton"></button>

// The button is positioned on top of the legitimate website
// and is visually hidden, tricking users into clicking it
document.getElementById("invisibleButton").addEventListener("click", function () {
// Perform malicious action here, such as unauthorized transactions or data theft
console.log("You have been clickjacked!");

In this example, the attacker creates a malicious webpage (attacker.html) with an invisible button (#invisibleButton) layered on top of a legitimate website shown within an iframe. When unsuspecting users visit the attacker's page, they are tricked into clicking the invisible button, triggering the malicious action (in this case, an console.log message).

It's important to note that actual clickjacking attacks can be more sophisticated and involve complex techniques to conceal the malicious elements and deceive users effectively.

What are the potential consequences of Clickjacking?

View Answer:
Interview Response: Clickjacking can lead to unintended actions such as unauthorized transactions, privacy violation, forced downloads of malicious software, and theft of sensitive information like passwords or credit card details.

What is frame-busting code?

View Answer:
Interview Response: Frame-busting code is JavaScript code used by websites to prevent their pages from being displayed within a frame (or iframe) of another site, thus protecting against clickjacking and other security threats.

Code Example:

Here's a basic example of a frame-busting script. This script checks if the current window is the top window. If it's not (meaning it's within a frame), it replaces the content of the top window with its own.

if (top != self) {
top.location = self.location;

However, this simple frame-busting method can be circumvented by modern "frame-busting busting" techniques. A more secure solution, whenever possible, is to use the X-Frame-Options HTTP response header:

X-Frame-Options: SAMEORIGIN

This option disallows the browser from rendering a page in a frame, iframe, or object unless the site including it is the same as the page itself. Other options include DENY (disallows all framing) and ALLOW-FROM uri (allows framing by a specific URI).

What is the X-Frame-Options header?

View Answer:
Interview Response: The X-Frame-Options is an HTTP response header used to indicate whether a browser should be allowed to render a page within a frame or iframe.

Code Example:

In Node.js with Express.js:

app.use(function(req, res, next) {
res.setHeader('X-Frame-Options', 'SAMEORIGIN');

In this example, the X-Frame-Options header is set to SAMEORIGIN, which means the page can only be displayed in a frame on the same origin as the page itself. Other possible values are DENY (no framing allowed) and ALLOW-FROM uri (allows framing by a specific URI).

What is Content Security Policy (CSP)?

View Answer:
Interview Response: Content Security Policy (CSP) is a security standard that helps prevent attacks by specifying trusted content sources and disallowing the loading of resources from other origins.

Code Example:

You can set a Content Security Policy by adding a Content-Security-Policy HTTP header in the server's responses.

Here's an example:

Content-Security-Policy: default-src 'self'; img-src 'self'; script-src 'self'

In this example:

  • default-src 'self': Only load resources (like scripts, images, styles, etc.) from the same origin as the page itself.
  • img-src 'self' Images can be loaded from the page's origin and also from
  • script-src 'self': Scripts can only be loaded from the page's origin.

This effectively limits where resources can be loaded from, reducing the risk of injection attacks.

How can JavaScript detect Clickjacking attempts?

View Answer:
Interview Response: JavaScript can detect clickjacking attempts by comparing the window's top object to the self object. If they differ, the script could be running within a frame, suggesting clickjacking.

Code Example:

Here's a simple JavaScript code snippet that checks if a page is being framed, which might indicate a clickjacking attempt:

if ( !== window.self) {
// The page is in a frame, this could be a clickjacking attempt
console.log("This page may be subject to a Clickjacking attack!");

In this code, refers to the topmost window in the hierarchy of window objects, while window.self refers to the current window. If they are not the same, then the current page is inside a frame or an iframe.

How can Clickjacking attacks be prevented?

View Answer:
Interview Response: Defenses against clickjacking include implementing X-Frame-Options HTTP response headers that prevent site framing and employing frame-busting JavaScript code to disrupt the framing process.

Code Example:

Here are code examples for each:

  1. X-Frame-Options HTTP Response Headers: If you're in control of the server, you can include this HTTP header in your responses:
X-Frame-Options: SAMEORIGIN

This option allows your site to be framed only by pages on the same domain. Frame Busting (Novice Approach: not recommended)

Frame-busting JavaScript Code: Frame-busting code can be included in the head of your HTML to ensure the page can't be framed. Here's a simple example:

if (top !== self) top.location.replace(self.location.href);

This code checks if the current window (self) is the topmost window (top). If it's not (meaning the page is being framed), it changes the topmost URL to match the current page's URL, essentially breaking out of the frame.


Please note that these code examples provide a basic understanding of the approaches and may need to be adapted based on specific server configurations and coding practices.

What is UI redressing?

View Answer:
Interview Response: UI redressing, also known as clickjacking, is a malicious technique where an attacker manipulates the appearance of a website to deceive users into performing unintended actions, often used in clickjacking attacks.

Code Example:

<div style="position:relative; width:200px; height:200px;">
<iframe src=""
style="opacity:0; position:absolute; width:100%; height:100%;">
<button style="position:relative;">Click me for a free cookie!</button>

Here, a user thinks they're clicking a button for a free cookie, but they're actually interacting with an invisible iframe over the button. The real action might be something harmful, like deleting an account on the "" page.

What is the role of the 'sandbox' attribute in preventing Clickjacking?

View Answer:
Interview Response: The `sandbox` attribute in HTML5 restricts the actions an iframe can perform, potentially preventing clickjacking by disabling scripts, forms, or links to other pages, unless explicitly allowed.

Code Example:

Here is an example of using the sandbox attribute with an iframe:

<iframe src="" sandbox="allow-scripts allow-forms"></iframe>

In this example, the sandbox attribute is set to allow-scripts allow-forms. This means the framed content is allowed to run scripts and submit forms. Without these explicit allowances, the sandbox attribute would block these operations. Other potential values include allow-same-origin, allow-popups, and allow-top-navigation.

However, if the attribute is set without any value:

<iframe src="" sandbox></iframe>

It applies the strictest restrictions: the framed content cannot run scripts, submit forms, or navigate the top page, effectively isolating it and providing a strong defense against clickjacking.

How does the 'X-Content-Type-Options' header help prevent Clickjacking?

View Answer:
Interview Response: Actually, the 'X-Content-Type-Options' header does not help prevent clickjacking. It helps prevent MIME type sniffing, a completely different security issue. The correct header for clickjacking is 'X-Frame-Options'.

Code Example:

In Node.js with Express.js:

app.use(function(req, res, next) {
res.setHeader('X-Content-Type-Options', 'nosniff');

This 'nosniff' option helps to prevent the browser from trying to MIME-sniff the content type and forces it to use the type given in the 'Content-Type' header.

How does the 'frame-ancestors' directive in Content Security Policy (CSP) mitigate Clickjacking?

View Answer:
Interview Response: The `frame-ancestors` directive in Content Security Policy (CSP) specifies valid parents that may embed a page using `frame`, `iframe`, `object`, or `embed`. It helps to mitigate clickjacking by controlling which origins can embed the resource.

Code Example:

Here's how you might set it:

app.use(function(req, res, next) {
res.setHeader("Content-Security-Policy", "frame-ancestors 'self'");

In this Node.js/Express example, the server sets the frame-ancestors directive to only allow the page to be framed by the same origin ('self') or ''. This can prevent the page from being framed by potential clickjacking sites.

What is a reverse Clickjacking attack?

View Answer:
Interview Response: Reverse clickjacking is when an attacker uses a legitimate website's functionality against itself by tricking users into interacting with it in unintended ways, usually through a disguised overlay.

How can the JavaScript 'window.blur()' method be used to counter Clickjacking?

View Answer:
Interview Response: The `window.blur()` method can't effectively counter clickjacking. Its function is to remove focus from the current window, but it doesn't prevent a site from being framed or users from interacting with hidden elements.

What are the challenges in detecting and preventing Clickjacking attacks on mobile devices?

View Answer:
Interview Response: Mobile clickjacking is challenging due to user-interface redressing, smaller screens causing overlapping elements, lack of visibility of full URLs, and less robust security options available in mobile browsers.

Can Clickjacking be exploited without JavaScript?

View Answer:
Interview Response: Yes, clickjacking can be exploited without JavaScript. It can be achieved purely through HTML and CSS, by using frames and CSS properties to overlay invisible interactive elements over visible content.

Code Example:

<div style="position:relative;">
<iframe src="" style="opacity:0; position:absolute; width:100px; height:100px;"></iframe>
<button style="position:relative;">A harmless button</button>

How can the 'X-Frame-Options' header be set using JavaScript?

View Answer:
Interview Response: The `X-Frame-Options` header cannot be set using JavaScript. It's an HTTP response header that must be set on the server-side by the server or application handling the response.

Are modern browsers effective at preventing Clickjacking attacks?

View Answer:
Interview Response: Modern browsers have implemented various security measures like the X-Frame-Options header, Content Security Policy (CSP), and frame-busting scripts, making them more effective at preventing Clickjacking attacks.