Clickjacking Demo - Security Playground

Clickjacking

Clickjacking is a technique where attackers trick users into clicking on something different from what they perceive. This is typically done by layering transparent elements over legitimate buttons or links.

Try to identify what happens when you interact with the demonstration below.

The "Click here to win a prize!" button has a transparent button positioned over it that contains a button to delete your account.

When you click the visible button, you're actually clicking the hidden button underneath.

This demonstrates why websites should implement frame-busting code and use the X-Frame-Options HTTP header to prevent their content from being embedded in iframes on other sites.

How to Prevent Clickjacking

To prevent clickjacking attacks:

Implement frame-busting JavaScript code that prevents your site from being framed
Use the X-Frame-Options HTTP header (DENY or SAMEORIGIN)
Use the Content-Security-Policy header with frame-ancestors directive
Implement user interaction confirmation for sensitive actions

Example X-Frame-Options header:

X-Frame-Options: DENY

Example Content-Security-Policy:

Content-Security-Policy: frame-ancestors 'none';

Example frame-busting code:

if (window.self !== window.top) {
  window.top.location = window.self.location;
}

Clickjacking Demo _

Clickjacking

Win a Prize!

How to Prevent Clickjacking