Clickjacking occurs when an attacker tricks a user into clicking a web page link that is different from where they had intended to go. After the victim clicks the link, they may be redirected to what appears to be a legitimate page where they input their sensitive information, similar to a pharming attack. A clickjacking attack can also redirect a user to a malicious web page that runs harmful scripts in a user's browser.

Clickjacking is often made possible by framing, which delivers web content in HTML inline frames, or an iframe. You can use an iframe to make it the target of a link that is defined by other elements. When a user selects the link, they could, for example, start inputting their credentials while an invisible iframe is the one accepting the values.

The following is a real-world example that targeted Twitter. Users would post messages that included the text "Don't Click: http://tinyurl.com/amgzs6". On this page (since removed), you could inspect the HTML and see that it created an iframe that loaded Twitter's reply functionality with filled-in content:

<iframe src="http://twitter.com/home?status=Don't Click: http://tinyurl.com/amgzs6" scrolling="no"></iframe>

The content was itself the same message that triggered the attackā€”in other words, a self-replicating attack like a worm. Below that iframe was: <button>Don't Click</button>. When users clicked this button, they actually submitted the request in the iframe to Twitter. This was made possible because of the way the Twitter module was hidden "under" the button in CSS. The positional values in the CSS for the iframe and button were placed in such a way that the Twitter update button in the iframe was in the same basic position as the "Don't Click" button. Most importantly, the iframe had its opacity set to 0, which effectively hid it from view, though it was still there, "under" the malicious button. Anyone clicking this button would instead be clicking the Twitter update button, which would then cause them to post a message to Twitter that propagated the attack. This specific attack was relatively benign, but you can use clickjacking to do many of the malicious things you can do with other web exploits.

Note: In a way, the Twitter example is similar to a CSRF in that it leverages the fact that the user's browser is already authenticated with Twitter.