Bug Bounty Writeups

5 minute read

The $200 Bug: Explaining the Clickjacking Vulnerability

February 22, 2026

Clickjacking, also known as a UI Redress Attack, is a client-side security vulnerability where an attacker tricks a user into clicking on a hidden or disguised element on a web page. By overlaying a transparent iframe containing a legitimate site over a malicious decoy page, the attacker “hijacks” the user’s clicks to perform unintended actions, such as transferring funds or changing account settings.

To secure your application against Clickjacking in 2026, follow this guide to identification, detection, and mitigation.

The Vulnerability Explained

Clickjacking, also known as a “UI redress,” is a malicious technique employed by attackers to deceive users into unintentionally performing actions on a website or application without their knowledge or consent. This form of attack exploits the trust users place in familiar interfaces by overlaying or disguising elements, thereby tricking individuals into clicking on hidden or disguised buttons, links, or other interactive components.

The primary objective of clickjacking is often to manipulate user behavior for malicious purposes such as stealing sensitive information, hijacking accounts, or executing unauthorized transactions.

Protect your application from the Clickjacking Vulnerability. We help you detect and secure your website before attackers do. Email Us to secure your website today

How Clickjacking Works

Clickjacking involves layering transparent or opaque elements over web content. Attackers craft a malicious webpage that embeds the target website within an iframe, an HTML element that allows one webpage to be embedded within another. By manipulating CSS styles and transparency settings, the attacker makes the embedded page invisible in the content. When a user visits this malicious page and interacts with what appears to be content, such as clicking a button, they are actually interacting with elements on the embedded target site.

The attacker uses social engineering techniques to convert users into visiting the malicious page.

Clickjacking Attacks Workflow

The typical workflow of a clickjacking attack involves several key steps:

Iframe Embedding: The attacker creates a malicious page and embeds the target “victim” website inside an invisible </code></li> <li><strong>CSS Layering: </strong>Using CSS, the attacker sets the iframe’s opacity to 0 (making it invisible) and uses a high z-index to place it on top of the decoy content.</li> <li><strong>Perfect Alignment:</strong> The attacker carefully positions a visible decoy button (e.g., “Win a Prize!”) exactly beneath a sensitive, invisible button in the iframe (e.g., “Delete Account”).</li> <li class="has-medium-font-size"><strong>User Interaction:</strong> When the user clicks the visible decoy, the browser registers the click on the invisible top layer (the target site), executing the sensitive action.</li> </ol> <p class="has-medium-font-size">To test if a site is vulnerable, you can create a simple HTML file. If the target site loads successfully in the frame, it is vulnerable to clickjacking.</p> <blockquote class="wp-block-quote has-text-align-left is-style-default has-blue-background-color has-background has-medium-font-size is-layout-flow wp-block-quote-is-layout-flow"> <p class="has-text-align-left has-medium-font-size">I<em>n a real-world scenario, attackers use tools like <a href="https://portswigger.net/burp/documentation/desktop/tools/clickbandit" target="_blank" rel="noopener nofollow" title="">Burp Suite’s Clickbandit</a> to quickly generate overlays and align buttons precisely.</em></p> </blockquote> <h3 id="common-use-cases-and-risks" class="wp-block-heading">Common Use Cases and Risks</h3> <p class="has-medium-font-size">Clickjacking can be exploited in various scenarios:</p> <h3 id="account-takeover" class="wp-block-heading">Account Takeover</h3> <p class="has-medium-font-size">An attacker tricks a user into changing account settings or authorizations that give control over their account.</p> <h3 id="social-media-manipulation" class="wp-block-heading">Social Media Manipulation</h3> <p class="has-medium-font-size">Users may unknowingly Like or Share content on social platforms, amplifying misinformation or spam.</p> <ul class="wp-block-list is-style-cnvs-list-styled has-medium-font-size"> <li><strong>Financial Fraud:</strong> Users could authorize payments or transfer funds without realizing it.</li> <li><strong>Data Theft:</strong> Sensitive information can be extracted if forms are manipulated through clickjacking.</li> </ul> <p class="has-medium-font-size">The severity of these attacks depends largely on the security measures implemented by target websites and applications.</p> <hr class="wp-block-separator has-alpha-channel-opacity"/> <h2 id="proof-of-concept-poc" class="wp-block-heading">Proof of Concept (PoC)</h2> <p class="has-medium-font-size">To test if a site is vulnerable, you can create a simple HTML file. If the target site loads successfully in the frame, it is vulnerable to clickjacking.</p> <h3 id="prerequisites" class="wp-block-heading">Prerequisites</h3> <ol class="wp-block-list is-style-cnvs-list-styled-positive has-medium-font-size"> <li>A target webpage with an actionable button for example, “Change Password”.</li> <li>A malicious webpage designed to overlay this button invisibly.</li> <li>Basic understanding of HTML and CSS for creating iframes and styling elements.</li> </ol> <h3 id="target-webpage" class="wp-block-heading">Target Webpage</h3> <p class="has-medium-font-size">Suppose we have a webpage <code>https://victim.com/settings</code> containing:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group=""><!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Victim's Settings Page</title> </head> <body> <h2>Account Settings</h2> <h3>Change Your Password</h3> <form action="/change_password" method="POST"> <input type="password" name="new_password" placeholder="New Password" required /> <button type="submit">Change Password</button> </form> </body> </html></pre> <p class="has-medium-font-size">This page features a form that allows password changes, which is a potential target for clickjacking if not protected properly.</p> <h3 id="malicious-page-setup" class="wp-block-heading">Malicious Page Setup</h3> <p class="has-medium-font-size">Create an attacker-controlled webpage that embeds this victim page within an iframe:</p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group=""><!DOCTYPE html> <html> <head> <title>Malicious Page - Special Offer!</title> <style> /* Style for overlay */ #overlay { position: relative; width: 800px; height: 600px; overflow: hidden; } #victimFrame { position: absolute; top: -200px; /* Position iframe so that only part is visible */ left: -300px; width: 120px; /* Larger than overlay to hide parts */ height: 100px; opacity: 0; /* Make iframe transparent */ pointer-events: none; /* Allow clicks to pass through */ } </style> </head> <body> <h1>Click here for your free gift!</h1>  <div id="overlay">  <iframe src="https://victim.com/settings" id="victimFrame">







In this setup:




The iframe loads the victim’s settings page.



CSS positions and sizes are adjusted so that only part of the iframe aligns with where the “Change Password” button appears.



An invisible 



When users click on what appears to be harmless content (“Click here for your free gift!”), they trigger actions inside the iframe, in this case, submitting the password change form if properly targeted.




How It Works



When a user visits this malicious page:




They see enticing content prompting them to click.



Clicking on specific areas causes clicks inside the transparent iframe.



If they click where the “Change Password” button appears visually (but is covered by our transparent overlay), they trigger an unintended password change request.



Alternatively, if CSS positioning aligns perfectly with other sensitive controls (like account deletion), similar attacks can occur.




Mitigation and Defense



Modern browsers and websites have implemented various defenses against clickjacking:



Content Security Policy (CSP): The modern standard. Use the frame-ancestors directive to specify which origins are allowed to frame the site.



Content-Security-Policy: frame-ancestors 'none'; (Disallows all framing)



Content-Security-Policy: frame-ancestors 'self'; (Allows framing only by the same origin)



X-Frame-Options (XFO): An older but widely used header for legacy support.



X-Frame-Options: DENY (Blocks all framing)



X-Frame-Options: SAMEORIGIN (Only allows same-origin framing)



SameSite Cookies: Setting cookies to Strict or Lax prevents them from being sent during cross-site framing, effectively logging the user out within the iframe.



Despite these defenses, poorly configured websites remain vulnerable. Attackers often exploit sites lacking proper headers or employing outdated security practices.




If you find this proof of concept useful, look at our guide on the Log4shell (Log4J) Vulnerability, which allows unauthenticated Remote Code Execution in React Server Components.



			




	
	
		
		Leave a Reply Cancel reply
Your email address will not be published. Required fields are marked *
Comment * 
Name * 
Email * 
Website 
 Save my name, email, and website in this browser for the next time I comment.
 

	

	


	
		
	

	
					

				

				
					Previous Post
				

				
					
													
								
																	
							
						
						
							
	Bug Bounty Writeups
							The $2000 Bug: Explaining the Log4shell (Log4J) Vulnerability
							byAreeb Atiq
December 31, 2025
						
					
				
			
						

				

				
					Next Post
				

				
					
													
								
																	
							
						
						
							
	Support Tutorials
							How to Install Git on Windows 11
							byAreeb Atiq
March 11, 2026




	
		
						Search

	
		

		
	

			
									
						Table of Contents
											
				
				The Vulnerability Explained
Proof of Concept (PoC)
Account Settings
Click here for your free gift!Mitigation and Defense
			
		
Featured Posts
			
				
											
									
			
									
						
													

						
					
				
				
					
					
						Understanding NPM Axios supply chain Attack
					

					May 6, 2026
				
			
		
								
											
									
			
									
						
													

						
					
				
				
					
					
						How to Install Git on Windows 11
					

					March 11, 2026
				
			
		
								
											
									
			
									
						
													

						
					
				
				
					
					
						The $200 Bug: Explaining the Clickjacking Vulnerability
					

					February 22, 2026
				
			
		
								
											
									
			
									
						
													

						
					
				
				
					
					
						The $2000 Bug: Explaining the Log4shell (Log4J) Vulnerability
					

					December 31, 2025
				
			
		
								
											
									
			
									
						
													

						
					
				
				
					
					
						The $25,000 Bug: Explaining the React2shell Vulnerability
					

					December 24, 2025
				
			
		
								
									
			

			
Recent Posts
			
				
											
									
			
									

													
															
						
						
						
						
					
				
				

					
					What Is Model Context Protocol? All You Need To Know
								
									
												
							December 24, 2025
						
					
				
									
						
							Read More						
					
				
							
							
			
		
								
											
									
			
									

													
															
						
						
						
						
					
				
				

					
					AI in Cybersecurity: 5 Intelligent Tools Safeguarding Modern Businesses
								
									
												
							November 15, 2025
						
					
				
									
						
							Read More						
					
				
							
							
			
		
								
											
									
			
									

													
															
						
						
						
						
					
				
				

					
					How to Install Cursor AI in Windows and Linux
								
									
												
							November 6, 2025
						
					
				
									
						
							Read More

Hand-Picked Top-Read Stories

Understanding NPM Axios supply chain Attack

How to Install Git on Windows 11

The $200 Bug: Explaining the Clickjacking Vulnerability

Trending Tags

The $200 Bug: Explaining the Clickjacking Vulnerability

The Vulnerability Explained

How Clickjacking Works

Clickjacking Attacks Workflow

How It Works

Mitigation and Defense

Leave a Reply Cancel reply

Previous Post

The $2000 Bug: Explaining the Log4shell (Log4J) Vulnerability

Next Post

How to Install Git on Windows 11

Understanding NPM Axios supply chain Attack

How to Install Git on Windows 11

The $200 Bug: Explaining the Clickjacking Vulnerability

The $2000 Bug: Explaining the Log4shell (Log4J) Vulnerability

The $25,000 Bug: Explaining the React2shell Vulnerability

What Is Model Context Protocol? All You Need To Know

AI in Cybersecurity: 5 Intelligent Tools Safeguarding Modern Businesses

How to Install Cursor AI in Windows and Linux