What is click-jacking?  From the OWASP Website, Click-jacking is defined as:

Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

Basically an attacker loads a portion of another website on their malicious web site in order to trick the user into clicking on something that they did not intend to.

In order for click-jacking to be possible, the vulnerable website must have the web site X-Frame-Options set to something other than “SAMEORIGIN”.  Typical options that can be set for the site X-Frame-Options are listed below:

SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
DENY: Prevents a web page displaying in any kind of frame.
ALLOW-FROM URI: This setting will allow a web page to only be displayed from the specified URI.

Many modern browsers will prevent a click-jacking attack even if the web site in vulnerable.  The examples below were done using the Mozilla Firefox browser.

The link below can be used to test a site for the click-jacking vulnerability.

As you can see from the example below, github.com is not vulnerable.


But, the site below is vulnerable to click-jacking, as the site was able to be loaded into out test site’s iframe.