Clickjacking is a form of client-side, web-based attack in which the attacker tricks the victim into clicking areas of disguised/obfuscated HTML elements, such as the IFRAME, APPLET, OBJECT, or other HTML elements that can display externally loaded resources. The clickjacking technique aims to circumvent the stringent security policies of the browser and all of its components by forcing the user to perform the necessary malicious actions on behalf of the attacker—without realizing that he or she is under an attack.
The clickjacking technique is an old form of an attack that was reincarnated recently with help from Jeremiah Grossman and Robert (rsnake) Hansen, two researchers known for several discoveries of web and client-side (more specifically, browser-related) vulnerabilities. Ever since Grossman and Hansen's public statement about their finding, the clickjacking technique has been discussed in full on several niche blogs and information security resources online, including ha.ckers.org, hackademix.net and GNUCITIZEN.
In this article, we'll look into what clickjacking is and what you need to do to protect yourself as a web application developer and as a user.
What Is Clickjacking?
The clickjacking technique falls into the category of graphical user interface (GUI) attacks. Another attack in the same category is the infamous file-input focus-stealing bug, with all of its variations, which allows attackers to steal any file from the filesystem when the victim is tricked into typing characters into a seemingly harmless text field. The clickjacking attack is also what security researchers call a design bug. Essentially, clickjacking is possible because of several design limitations. Design bugs are difficult to fix because they usually require change of the affected system's design, which is something that may not be very trivial to do. Very often, design bugs stay unfixed.
To understand how clickjacking works, consider the following example. You visit your Facebook account. On your dashboard is a notification that one of your friends wants to share a new story with you, so you follow the link inside her message. Once you click the link, a new tab opens inside your browser, displaying a strange but rather harmless-looking message (see Figure 1). The page simply asks whether you'd like to use AJAX in order to preview the content of the page, as it will improve your user experience. There's only one button, so you hurry to click it and move on.
But what they have done is super imposed this image over this actual message that pops up:
Now the not so harmless message is clear - if you clicked on allow, you just opened your webcam and mic! The idea is to add script to your code to cover the exact warning message that is expected to pop up.
The HTML code is posted on this link
http://www.informit.com/articles/articl ... 0&seqNum=2
and you can see it uses iframes to make the cracker's image fit over the warning message by absolute position statements.
In the example above, the attacker use Flash to compromise the victim, but clickjacking attacks apply to most technologies, web pages, and applications that you use on a daily basis. For example, clickjacking attacks can be used to force you to perform actions on your Facebook account without your even realizing it. You could be tricked into deleting your Google account—or, even worse, exposing all of your private messages to the whole world.
In general, the clickjacking technique is known as the anti-CSRF killer. CSRF stands for cross-site request forgeries, a simple attack based on another design bug, which often has a devastating effect when performed correctly. CSRF attacks can be used to force the user to perform HTTP requests on behalf of the attacker without any indication that anything is happening. Fortunately for us, CSRF attacks can be mitigated to an extent by forcing session-management facilities to use unique tokens to identify each request. However, clickjacking simply destroys these mitigations
How can you protect yourself and ensure that no one can clickjack your web applications? From a user's perspective, very little can be done. The previous example no longer works (at least in theory) because Adobe has released an urgent patch to fix the design bug—but only for Adobe's Flash plug-in. Check that you have the latest version of Flash. If not, you're vulnerable, and you should patch immediately.
If you use Firefox, try the excellent NoScript extension from Giorgio This extension may not be suitable for all types of users, but at least you should feel more secure with it than without it. The NoScript extension tries to prevent clickjacking as well as several other known web attacks. Keep in mind that bad guys often find ways around security products, however, so you still need to be cautious online. If possible, question everything into which you type information and everything you click. Even security researchers and penetration testers find it difficult to protect themselves, so you're not alone in this game.
You don't have many options if you're using any browser other than Firefox.
Web/application developers should try to make sure that their code isn't vulnerable to clickjacking. You can use a technique known as frame busting, which simply tries to prevent your page from being loaded in arbitrary IFRAMEs. Unfortunately, frame-busting code doesn't always work as advertised, and you may break certain parts of your application by using frame busting inappropriately. I won't provide any frame-busting code here, as some readers may simply copy and paste it without giving it a second thought. Plenty of resources are available online for finding frame-busting code; examine the possibilities and make up your own mind. If possible, use the help of skilled security consultants who have a good understanding of the latest and greatest in the web application and client-side security world.
my words injected into this article here:
http://www.informit.com/articles/articl ... 0&seqNum=3
DNR
) to see a site that doesn't use some of the technologies that are an easy target to attacks, sure, some sites and web applications are heavier on javascript and flash content than others, nevertheless is a trend which many web designers keep following and there's no sign that this is going to disappear anytime soon, more likely its going to get worst, new technology derivated from an old technology will appear and in the same way, a new attack derivated from an old attack will emerge for that new technology 
