00 — Overview

Clickjacking

Trick users into clicking something they never intended to. By overlaying a transparent iframe over a decoy UI, attackers hijack button clicks, fund transfers, OAuth grants, and account deletions — no JavaScript required.

Intermediate·35 min·5 tasks

// By the end of this module

→Explain the UI redressing attack model and why transparent iframes are dangerous

→Detect frameable pages by checking X-Frame-Options and CSP frame-ancestors

→Build a clickjacking PoC that positions a decoy over a real sensitive button

→Understand multi-step and drag-and-drop jacking variants

→Apply frame-ancestors CSP and SameSite cookies to prevent clickjacking

// Prerequisites

Foundation · Beginner

How the Web Works

45 min

→

Foundation · Beginner

Browser DevTools for Hackers

20 min

→