Clickjacking attacks allure users to click on objects transparently placed in malicious web pages. The resultant actions of the click may cause unwanted operations in the legitimate websites without the knowledge of the users (Hansen, 2008; Hansen & Grossman, 2008; OWASP, 2015; Aun, 2015). Many recent news reports suggest that victims are tricked to click on social media websites (Facebook, Twitter) (Balduzzi et al., 2010; Huang et al., 2012), shopping websites (Amazon, a victim ends up buying a book), and online banking web sites (Balduzzi et al., 2010). The consequence of attacks can affect victim’s security and privacy. For example, clickjacking attack has been used to enable the webcam and microphone of a victim’s computer (Aboukhadijeh 2011; Aharonovsky 2008). Other reported incidents include liking a profile in Facebook victim not familiar with, and posting messages on Twitter, etc. (Balduzzi et al., 2010; Huang et al., 2012). Given that clickjacking needs to be addressed to stop much of these unwanted consequences.
This paper is organized as follows: The next section presents illustrative example of clickjacking attack; we then highlight defense techniques found in the literature; the next section outlines advanced clickjacking attacks; then we present the proposed framework followed by evaluation results; and finally we conclude the paper.