What is clickjacking: Clickjacking (Clickjacking) is a visual deception. An attacker uses a transparent (that is, invisible) iframe page to cover a normal webpage, and then lures the user to click on the webpage. At this time, the user will click on the transparent iframe without knowing it. By carefully adjusting the position of the transparent iframe, users can be tricked into clicking on the designed malicious button.
For example:
The attacker develops a website with two layers of content
Bottom layer: Some kind of picture or layout that makes people want to click, such as a jumping "open" word on a red envelope.
Upper layer: Nest the homepage of a social networking site through iframe, and set the transparency to be completely transparent. At the same time, through positioning, some operation buttons on the iframe (such as "follow me") and the bottom guiding click area (such as the red envelope in the example " "Open" word) overlapping
, so that the user actually clicks the upper transparent "Follow Me" when clicking the "Open" word, and completes the operation of following someone without knowing it. Of course, these prerequisites are also under the premise that the user is logged in and has not expired.
Unlike CSRF forged requests, these requests are all in the iframe's own website and initiated "voluntarily" by the user.
Auxiliary means
Add secondary checks for some more confidential operations, such as verification codes, mobile phone verification codes, passwords, etc.