Clickjacking
A web attack that tricks users into clicking something different from what they see, by overlaying a hidden malicious element on top of a legitimate page.
Also known as: UI redressing, iframe overlay attack, cursor jacking
Last reviewed: 1 June 2026
Clickjacking (also called UI redressing) exploits the ability to layer transparent or opaque HTML elements over a webpage. An attacker embeds a target site — such as a bank or social media page — in a hidden iframe and positions it beneath an enticing visible button or image. When the user thinks they are clicking a harmless element, they are actually clicking an invisible button on the underlying page that performs an action such as approving a transaction, enabling a webcam, or liking a post.
The attack requires no code injection into the target site — it exploits the browser's rendering and iframe capabilities. Victims may unknowingly make payments, change account settings, or grant app permissions without any visible indication that something went wrong.
Website owners defend against clickjacking by sending the X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP headers, which prevent their pages from being embedded in iframes on foreign domains. Browsers also support the SameSite cookie attribute to reduce cross-site request risks.
Examples
- A visitor to a gaming site thinks they are clicking a 'Play Now' button but are actually clicking a hidden 'Confirm Payment' button on their bank's site loaded in a transparent iframe.
- A 'You've won a prize' popup overlays a hidden permission dialog granting a malicious app access to the victim's microphone.