Clickjacking refers to stealing a user click on a web site to do something that the user wouldn’t intentionally do. Javascript anyone? Every good programmer knows how to use a click that triggers a Javascript Event. Almost everything can be done with that triggered event. This is the reason people deactivate the Javascript function in their browser; the Javascript function is easily resolved.

The real clickjacking technique however is advanced because it permits a click steal
without Javascript. Even with Javascript turned off, every common browser is affected by this problem and every web site can implement this hack. The technique of Clickjacking is in the iframe tag and in the z-index opacity rule of the css style sheet. A clickable element in an iframe and from another domain can hide behind an element on the top of the real page. There is no use for a line of Javascript or PHP code, only HTML and CSS can make the user believe they are clicking an element on the front page, but instead they are clicking an element on hidden page.

Marco Lisci

- From onlinesecurityblog.info