Clickjacking has remained on the periphery of security departments’ attention for years – regarded more as a threat to user convenience than to system integrity.
Meanwhile, reality is changing faster than approaches to application protection. In the era of complex client-server environments, clickjacking is increasingly becoming a launching point for more advanced attack scenarios.
And it is this first click – usually inconspicuous and accidental – that can open the way to serious incidents.
In its simplest terms, clickjacking is about getting the user to click on something other than what they think. Embedded in the code of a website, a transparent iframe or a cleverly concealed HTML element can redirect the user, activate unwanted functions or… launch the next stages of the attack.
And it is this last option that is particularly dangerous today.
Increasingly, clickjacking is not an end in itself, but part of a larger chain of attack (so-called attack chaining), in which each stage serves to prepare the ground for the next.
For cybercriminals, this means greater efficiency. For companies – potentially greater risk of unnoticed application vulnerabilities.
Example? A user clicks on a seemingly secure “Login” button embedded in a phishing version of a well-known portal.
In reality, this button redirects to a malicious version of the login page or initiates a script that captures login data. If this step is successful, the attackers have access to session cookies (cookiejacking), which can be used for further actions – such as taking over an account, gaining privileges on a company system or infecting the working environment.
In many cases, clickjacking is also used as a ‘silent accomplice’ to other techniques such as DOM XSS, i.e. malicious modification of code on the browser side.
Combined with clickjacking, this allows the user to take control of the app interface and perform actions without the user’s knowledge – adding a product to the basket, changing the delivery address or modifying security settings.
Attacks based on combining clickjacking with other techniques are particularly difficult to detect.
In traditional security systems – such as application firewalls (WAFs) or SIEM solutions – clickjacking may not be treated as a real threat if it is not combined with analysis of user behaviour and client-side code.
The problem is exacerbated by the fact that many companies do not include clickjacking in their penetration testing procedures.
This is a gap in the security mentality: a focus on the backend, server code and data in the cloud to the exclusion of the seemingly trivial interface layer.
In the age of web applications that largely run on the user’s browser side, frontend security is no longer an add-on – it is becoming an integral part of the DevSecOps strategy.
Frameworks such as React, Angular or Vue, while powerful and flexible, often do not include native protection against clickjacking. This requires additional action from development and security teams.
To make matters worse, the browsers themselves are not always sufficient support.
Although modern environments support mechanisms such as the Intersection Observer API, their implementation still requires conscious action on the part of the development team.
Despite the availability of effective mechanisms to prevent clickjacking, many organisations do not implement them.
The reasons? Often trivial: lack of awareness, conviction of low risk and sometimes fear of loss of functionality.
Proven safety methods include:
- CSP (Content Security Policy) with the `frame-ancestors` directive, which restricts external domains from embedding the page in frames.
- X-Frame-Options header, blocking the loading of the page in a frame (`DENY`, `SAMEORIGIN`).
- Frame busting – an older but still effective technique that prevents a page from being displayed in an iframe.
- Browser extensions such as NoScript or NoClickjack, although these may interfere with the operation of some applications.
These are simple steps that can be automated or implemented as part of CI/CD. And yet – still many providers of SaaS applications, online shops or service portals do not apply them.
Clickjacking is no longer just a trick for social engineers. It is a mature tool that, in the hands of a skilled attacker, can be used to take control of a system – and do so without leaving visible traces. In the architecture of modern applications, every user interaction can be a potential attack vector. And protecting the user interface layer is becoming no less important today than securing databases.
For companies, this means one thing: it’s time to stop ignoring the first click.
