Clickjacking attack is also known as a “UI redress”, is when an attacker uses various transparent or opaque layers to fool a victim into clicking on a button or link on another page when they were expecting to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another web page.
In its basic form, a UI redress attack involves the attacker’s web page loading the target application within an iframe on the attacker’s page. In effect, provided by the attacker. The attacker’s interface includes content to attract the
user and induce him to do actions such as clicking the mouse in a particular area of the web page.
When the user makes these actions, although it appears that he is clicking the buttons and other UI elements that are visible in the attacker’s interface, he is unwittingly interacting with the interface of the application that is being targeted.
For example, assume a banking function to execute a payment transfer requires two steps. In the first step, the user submits the details of the transfer. The response to this request displays these details, and also a button to verify the action and make the payment. Furthermore, in an attempt to prevent CSRF attacks, the form in the response includes a hidden field containing a random token. This token is submitted when the user clicks the Verify button and the application verifies its value before transferring the funds.
In the Clickjacking attack, the attacker’s page submits the first request in this process using conventional CSRF. This is done in an iframe within the attacker’s page. As it does normally, the application responds with the details of the user to be added and a button to verify the action. This response is “displayed” within the attacker’s iframe, which is covered with the attacker’s interface designed to induce the victim to click the region containing the verify button. When the user clicks in this region, he is unwittingly clicking the verify button in the target application, so the new user gets created.