Click Jacking is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a vulnerability across a variety of browsers and platforms. A click jack takes the form of embedded code or a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.
A user might receive an email with a link to a video about a news item, but another valid page, say a product page on amazon.com, can be “hidden” on top or underneath the “PLAY” button of the news video. The user tries to “play” the video but actually “buys” the product from Amazon.
Other known exploits include:
- Tricking users into enabling their webcam and microphone through Flash (which has since been corrected by Adobe);
- Tricking users into making their social networking profile information public;
- Making users follow someone on Twitter;
- Sharing links on Facebook;
During the click jack attack the most probably used technique is with the help of IFRAME. The IFrame borders are hidden from CSS and most of the times you will not notice that you are on a different page.
A solution will be to restrict you website to be used inside IFRAME. You can add the code below to your Global.asax file:
void Application_BeginRequest(object sender, EventArgs e)
You can download a harmless sample of a click jack attack from below