International Journal of Information Security

https://doi.org/10.1007/s10207-018-0423-3

REGULAR CONTRIBUTION

You click, I steal: analyzing and detecting click hijacking attacks in web
pages
Anil Saini1 · Manoj Singh Gaur1 · Vijay Laxmi1 · Mauro Conti2

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Abstract
Click Hijacking (clickjacking) is emerging as a web-based threat on the Internet. The prime objective of clickjacking is
stealing user clicks. An attacker can carry out a clickjacking attack by tricking the victim into clicking an element that is
barely visible or completely hidden. By stealing the victim’s clicks, an attacker could entice the victim to perform an unintended
action from which the attacker can benefit. These actions include online money transactions, sharing malicious website links,
initiate social networking links, etc. This paper presents an anatomy of advanced clickjacking attacks not yet reported in
the literature. In particular, we propose new class of clickjacking attacks that employ SVG filters and create various effects
with SVG filters. We demonstrate that current defense techniques are ineffective to deal with these sophisticated clickjacking
attacks. Furthermore, we develop a novel detection method for such attacks based on the behavior (response) of a website
active content against the user clicks (request). In our experiments, we found that our method can detect advanced Scalable
Vector Graphics (SVG)-based attacks where most of the contemporary tools fail. We explore and utilize various common
and distinguishing characteristics of malicious and legitimate web pages to build a behavioral model based on Finite State
Automaton. We evaluate our proposal with a sample set of 78,000 web pages from various sources, and 1000 web pages
known to involve clickjacking. Our results demonstrate that the proposed solution enjoys good accuracy and a negligible
percentage of false positives (i.e., 0.28%), and zero false negatives in distinguishing clickjacking and legitimate websites.

Keywords Browser security · Clickjacking · Web-based attacks · Browser attacks · Cyber attacks

1 Introduction user. Sometimes, the clicked element overlaps or stacks with

A clickjacking attack is an attack against users of the web
application in which an attacker creates a malicious page.
The infected web application is designed in such a way that
it tricks a user into clicking on a page element. This click
targets an action against victim page that is hidden from the
B Manoj Singh Gaur
an item on the victim page. With this technique, an attacker
can “steal” user clicks from the victim to target any website
(including an authenticated website) to perform malicious
activities. For example, an attacker can target social net-
working web page, such as Facebook, to trigger “like” button
without user’s notice; Twitter page by posting unwanted mes-
sages; compromise banking websites by executing an online
money transaction.

[email protected] In these example scenarios, the set of events performed by
Anil Saini the victim would look legitimate from the browser point of
[email protected] view. In fact, the victim is just clicking on the web page ele-
Vijay Laxmi ment and does not violate any security policy. So, the inbuilt
[email protected] browser security policies at user’s end are currently not able
Mauro Conti to detect this kind of click-hijacks. The dangerous nature of
[email protected] clickjacking lies in the fact that it can compromise the web
application that is free of any technical flaws. The attack
1 Department of Computer Science and Engineering, Malaviya exploits the default behavior of the browser on a click and
National Institute of Technology, Jaipur 302017, India
targets a user who clicks on an element without realizing that
2 Department of Mathematics, University of Padua, he is, in fact, initiating some possibly malicious activities.
35131 Padua, Italy

123
 A. Saini et al.

Clickjacking attack was first addressed by Robert Hansen

and Jeremiah Grossman in a talk at OWASP AppSec 2008 [1].
Some proof-of-concept for clickjacking examples, which
have been made public, were posted by security researchers,
and by hackers [1–6]. The recent work on clickjacking
discovered two new clickjacking attacks and claimed the
defensive mechanism for these attacks [5]. In this work, the
author presented fake pointer attack and peripheral vision
attacks based. In particular, all these attacks have focused on
clickjacking attacks initiated from transparent iframes1 and
overlapped web page elements. In this paper, we discover
some advanced methods that can be used to steal user clicks
from the browser. This paper considers not only iframe-
based clickjacking attacks but also new methods of achieving
clickjacking attacks. In particular, we find event bubbling,
SVG-based attacks to achieve transparency and overlapping
using SVG filters are novel methods to steal click from the
user’s browser.
Clickjacking attacks are fundamentally attacks on lim- Fig. 1 Proposed approach
itations of human perception. In other words, any user
interaction with web page elements should only succeed if the
user perceived, understood, and made a conscious decision consists of popular web pages that do not contain any
to take a particular action. In this paper, we develop a novel advertisement, pop-ups, hidden iframes, and transparent ele-
approach to detect clickjacking attack based on the behavior ments.
(response) of websites against the user clicks (request). The We explore and utilize various shared and distinguishing
key idea to observe the essence of the clickjacking attack characteristics (features) from the dataset of known attacks,
in a web page is to find one or more suspicious properties and legitimate web pages. These features are, then, used to
such as overlapping, transparency, stacking, DIV nesting of build a behavioral model based on Finite State Automaton
elements. In particular, we propose several features to gather (FSA). We generate three alerts for a web page, legiti-
clickjacking symptoms, which cannot be identified by the mate, clickjacking warning, and clickjacking attack alert.
human eyes or perceived by the human mind, from a web- We use several heuristics to assist a test to decide, based
site. on their behavior, whether the web page is clickjacking
We examine a set of characteristic and distinguishing warning or Clickjacking attack. We define three alerts as fol-
functionalities that legitimate and malicious web pages can lows.
perform. We then identify static as well as dynamic features
from the web pages. The static features are taken when the – Clickjacking attack alert If the sequence of states (rep-
web page is downloaded or opened in web browser window. resenting behavior) matches with the attack signature, it
The dynamic features are taken by the observed response of will label as the clickjacking attack. Labeling a web page
user clicks. These web page features are comprehensive and as malicious indicates we identified harmful behavior
can be used to derive a behavior model for a website and such as clicking of unknown source lead to cross-domain
classify if it is susceptible to clickjacking. communication, execution of arbitrary hidden scripts,
Figure 1 shows the proposed method. We generate signa- redirection of the hidden mouse cursor, etc.
tures of known clickjacking attacks using 1000 web pages – Clickjacking warning alert Our model also generates
that are vulnerable to clickjacking attack. We collect the the clickjacking warning, which indicates the presence of
web pages based on the knowledge gained from: the liter- potentially harmful actions or exposing the user to new
ature; basic clickjacking attacks described in the literature; risks, but these risks may or may not represent clickjack-
attack classes describe in Sect. 2.1; and newly identified ing actions.
attack techniques describe in Sect. 3. We improve the state – Legitimate behavior If we do not find any suspicious
of the art in clickjacking attack by adding new attack classes behavior, we label the web page as legitimate.
to attack signature. Our dataset of 1000 legitimate pages
The experimental evaluation shows that our approach is fea-
1The iframe element represents a nested browsing context, effectively sible in practice. Also, our solution enjoys good accuracy
embedding another HTML page into the current page. and a negligible percentage of false positives (0.28%) in

123
You click, I steal: analyzing and detecting click hijacking attacks in web pages
Table 1 Illustration of existing
Attack ID
and newly identified
clickjacking attacks a1
a2
a3
a4
a5
a6
a7
a8
a9
a10
a11
distinguishing clickjacking and legitimate websites. More-
over, our approach can detect novel advanced SVG-based
attacks that many contemporary tools currently fail to recog-
nize.
Contributions
The contributions of this paper are manifold:
– Novel clickjacking attacks We present an anatomy of
novel advanced clickjacking attacks using visual effects
caused by SVG images and filters. Furthermore, we show
some alternative methods for achieving properties of
clickjacking attacks. Our proposed attacks defeat exist-
ing clickjacking attack detection tools.
– Unified behavioral model We present a behavioral
clickjacking detection approach based on the behavior
(response) of websites against the user clicks (request).
We describe our model using the notion of Finite State
Automaton (FSA). We construct the FSA model for var-
ious request, response pairs to represent how different
states belong to either clickjacking attack or legitimate
scenario.
– Implementation framework We present a prototype
model consisting of four modules: Query String For-
mation (QSF) module; Signature Generation module;
C-CHECK parser module; and Click Inspector module.
– Experimental validation We present a detailed experi-
mental evaluation of our system on real-world web pages.
In our evaluation, we implemented different variants of
clickjacking attacks, which includes basic as well as new
advanced attacks. We tested our proposed solution on the
dataset of 78,000 web pages taken from different sources.
Organization
The rest of the paper is organized as follows. Section 2
presents the review of clickjacking attacks and motivation
toward new clickjacking attack detection approach. Section 3
outlines novel clickjacking attacks and describes deployment
Attack type Source
Click stealing through visual perception Existing attack [7]
Click stealing through keystrokes Existing attack [8]
Click stealing through hidden pointer Existing attack [7,9]
Click stealing through CSS (stacking elements) Existing attack [10]
Click stealing through CSS (pointer-event) Existing attack [10]
Click stealing through element movement Existing attack [7,10]
Violating display integrity using SVG filters Newly identified attack
Clickjacking with SVG clipping and masking Newly identified attack
Modifying user interface using SVG filters Newly identified attack
Enforcing pointer-event property through SVG Newly identified attack
Enforcing script injection using SVG filters Newly identified attack
techniques. Section 4 discusses the static and dynamic fea-
tures of websites. Section 5 introduces the behavioral model
for detecting clickjacking attacks. In Sect. 6, we present the
implementation details and evaluation of our model. Sec-
tion 7 highlights defense techniques found in the literature,
and Sect. 8 concludes the paper.
2 Background and motivations
In this section, we briefly present a detailed description of var-
ious existing clickjacking attack classes and the motivation
behind our clickjacking attack detection approach. Table 1
illustrates the broad categories of attacks considered in this
paper. We further explains these attacks in Sects. 2.1 and 3.
2.1 Existing clickjacking attacks
We classify existing attack classes according to the behavior
and appearance in the browser window. The attack classes
are as follows.
Click stealing through visual perception (a1 ) A visual per-
ception is how a user sees a web page, before and after
clicking an element. An attacker can compromise a user’s
visual perception to execute clickjacking attacks. Using
frames/iframes, an attacker can embed a cross-domain web
page into the current web page. An attacker entices a user to
click on the malicious page, which has hidden target elements
embedded in iframe placed underneath a malicious page.
When the user clicks on an item on the upper page, the
click will be routed to an element present on the underneath
page. For example, let us consider the scenario illustrated in
Fig. 2. A Facebook page is embedded into a malicious web
page. A target element “Click Here” on the malicious page
is positioned exactly above the Facebook “like” button in
such way that user cannot notice the presence of the latter.
Once the user performs a click on a button labeled “Click
123

Fig. 2 Illustration of clickjacking attack using frame overlays. In this
attack, a Facebook page is embed on a transparent iframe. Facebook
“like” button is shown with light color in a figure to represent invisibility
Fig. 3 Illustration of a strokejacking attack scenario in which the
attacker steals keystrokes
Here”, the click will also route to underneath page and also
trigger Facebook “like” button without user’s notice. This
attack scenario shows that an attacker can like any Facebook
page on user’s behalf.
Click stealing through keystrokes (a2 ) In this attack, the
keystrokes can be, in addition to clicks, also hijacked. The
attack is also called Strokejacking. An attacker uses social
engineering tricks to capture keyboard events from text box
placed on attacker page, and at the same time applying these
keystrokes to underneath text box on the victim page. In
this way, an attacker can capture user input keystrokes. An
attacker can, then, inject a malicious script using user input
keystrokes.
Figure 3 illustrates an attack scenario in which an
attacker entices a user to play a game (Step 1). When the
user inputs a character that appears on a square matrix
(Step 2), a malicious script is created in the background
without user notice (Step 3). In this way, an attacker
can steal keystrokes to inject malicious script into victim
browser.
Click stealing through mouse pointer hiding (a3 ) In this
case, the attacker creates and re-positions a fake cursor while
hiding the original cursor. The fake cursor is positioned in
such a way, that when the user points the fake cursor on a
link displayed on the attacker page, the original cursor will
123
A. Saini et al.
Fig. 4 Illustration of an attack scenario in which an attacker creates
fake cursor, and hides original cursor
point to a link on the victim page, which an attacker wants
to trigger [7,9].
Figure 4 illustrates an attack scenario in which an attacker
creates the fake cursor, and hides the original cursor. A
fake cursor is positioned in such a way that when user
points on “skip this Ad” with a fake cursor, the orig-
inal cursor clicks Facebook “like” button. When user
clicks on the “skip this Ad”, a Facebook “like” button is
clicked.
Click stealing through CSS (stacking elements) (a4 ) Most
browsers support HTML/CSS styling attributes that allow
an attacker to hide the target element through an overlapping
element visually. When the user clicks on the upper layer of
overlapped element, a click is also routed to lower layer ele-
ment. For example, an attacker can make the target element
transparent by wrapping it in a DIV container [11] with a
CSS opacity value set to zero. An attacker creates a stack
of overlapped elements above the target element by using
z-index [12] property. When the victim user clicks on an
upper element, the click routes to the lower element, which
triggers a malicious link.
Click stealing through CSS (pointer-event) (a5 ) In this
attack class, an attacker bypasses the click event from an
upper element, and then routes the same click event to
lower invisible target element positioned underneath it. The
element can be made unclickable by setting the property
pointer-events:none [12]. A victim’s click would
then fall through the decoy and land on the (invisible) tar-
get element.
Click stealing through element movement (a6 ) In “Frame
Overlay” class, an element is positioned exactly above the
framed page element. The element randomization [10] tech-
nique can be used to circumvent this attack, and thus, a new
class of attack is required to execute frame overlay attack
successfully. In this class, a hidden element will move along
with the mouse movement. So wherever user clicks, the
You click, I steal: analyzing and detecting click hijacking attacks in web pages
Fig. 5 Attack Scenario for SVG-based clickjacking attacks
web page triggers an event which may route to the victim
page.
2.2 Motivation
Clickjacking is a serious threat in Internet [1–4]. The moti-
vation behind our work lies in the fact that new variants of
clickjacking attacks not yet reported and discussed in the
literature. In particular, the previously published work has
only focused on detecting the clickjacking attacks caused by
hidden iframes or hidden mouse cursor. In this paper, we
present new attack variants using SVG filters (discussed in
Sect. 3). We justify that, currently, no detection technique
is available for the newly discovered attack. Our proposed
attacks are the alternative way of achieving clickjacking
without getting caught by existing defense mechanism. Fur-
thermore, the limitations in existing clickjacking attack
detection techniques motivate us to develop new detec-
tion approach. Our novel detection method can efficiently
and effectively detect advanced clickjacking attacks in web-
sites.
3 Advanced clickjacking with SVG
In the attacks described in Sect. 2, the attacker has mainly
adopted CSS style for hiding and overlapping iframes and
other web page elements to hijack user clicks. This section
presents some novel methods to create clickjacking attacks
(a7 –a11 ) that are beyond using iframes and CSS styles. We
discuss some novel attacks based on visual effects produced
using SVG [13]. To demonstrate our attack, we use an attack
scenario illustrated in Fig. 5. In this attack scenario, a fake
pop-up window entices the user to perform some set of clicks
(or events), and at the same time, the attacker hijacks the user
clicks.
3.1 Violating display integrity using SVG filters (a7 )
SVG filters provide a way to make an object transparent
through <opacity-value> attribute whose value ranges
from 0.0 to 1.0. The object with opacity value set to unity is
transparent and with value set to zero is fully opaque. Another
way to make SVG drawing objects as well HTML content
transparent is using CSS properties. CSS provides opacity
attribute value, ranging from 0 to 1 to make HTML object
transparent.
We find new alternative ways to make HTML elements
transparent: apply SVG filter primitives with unique values
or use a series of filter effects in order to make trans-
parent elements on the web page. In fact, this technique
bypasses the current clickjacking detection methods where
only CSS opacity value of HTML object is checked, (i.e.,
opacity=0).
SVG filters are like image processing filters used to apply
effects on SVG images like blur, dilation, erosion, etc. A fil-
ter effect consists of a series of graphics operations that are
applied to a given source to produce a modified graphical
result. The result of a filter effect is rendered to the target
browser instead of the original source graphic. SVG filter
effects are defined by <filter> element. Each filter oper-
ation is performed by a built-in filter primitive. A filter effect
can be a series of filter primitives. When the filter blur, it is
applied to any object, it results in a blurred image, which is
barely visible.
Table 2 illustrates the list of filter primitives that can be
used to produce transparent objects when applied on HTML
document or SVG objects. The list contains set of filter prim-
itives. Any combination of those filter primitive results into
the transparent object. Table 2 consists of four columns, filter
name, value, image, and iframe. Filter name is a filter prim-
itive to be used in filter effect, the value is a set of special
attribute–value pair that makes object fully transparent when
the filter effect is applied on it. Image and iframe are the
objects on which filter effects are used to test transparency
and result are quoted as Yes or No.
3.1.1 Understanding the attack
Figure 6 depicts a frame in our attack, which uses alternative
transparency technique. In this attack scenario, a malicious
page conducts a survey on current government having two
input buttons. To carry out this review, a user must click on Yes
or No button and then user submits the survey. This malicious
page may also contain a hidden and transparent Facebook
“like” button placed exactly underneath the two buttons. To
perform the clickjacking attack, an attacker entices the user
to click either Yes or No button on the page.
When the user clicks on either of the buttons, a malicious
page will steal this click and transfer it to Facebook “like”
123
 A. Saini et al.

Table 2 Transparency alternatives using SVG filters

Filter name Filter effect Image iframe

feFlood Flood-opacity=0 Yes No

feTurbulance baseFrequency <= 0.0009 Yes No
feGaussianBlur stdDeviation >= 200 Yes Yes
feConvolveMatrix kernelMatrix=0 preserveAlpha=“false” Yes Yes
feColorMatrix Type=luminaceToAlpha Style=color-interpolation-Filters:sRGB Yes No
Type=matrix values=0 Yes Yes
feComponentTransfer <feFuncA Type=Table TableValues=0 / > Yes Yes
<feFuncA Type=Discrete TableValues=0 / > Yes Yes
<feFuncA Type=Linear slope=0 intercept=0 / > Yes Yes
<feFuncA Type=Gamma Offset=0 exponent=0 Amplitude=0 / > Yes Yes

1 <svg>
2 <a xlink : href="http : / /www. facebook .com/ plugins / like .php?
href=https:%2F%2
3 Fdevelopers . facebook .com%2Fdocs%2Fplugins%2F&width&layout
=standard&action
4 =like&show_faces=true&share=true" &height=80 target="_top
(i.)
">
5 / / Embed Facebook like URL into SVG image
6 <rect x="10" y="20" width="75" height="30"
7 style="stroke : #333366; f i l l : #6666cc"/>
8 </a>
9 </svg>
(ii.) Listing 1 SVG code to embed Facebook “like” URL into an SVG image

3.2.1 Understanding the attack

(iii.)
Fig. 6 Workflow for our advanced transparency attack using SVG fil-
ters. At first, (i) displays the normal working when user clicks “Yes”
button, (ii) When the user clicks on Yes button a Facebook “like” but-
ton is clicked, (iii) When the user clicks on “No” button, still Facebook
“like” button is clicked
button placed underneath the clicked button. The complete
attack steps are illustrated in Fig. 6.
3.2 Embedding link into SVG image (a8 )
The SVG filter uses <a> element to embed URL into SVG
images. SVG URL work just like HTML links. A URL link
can be inserted into any image or shape such as the circle,
rectangle. To achieve this feature, the attacker puts the SVG
shape that is to be used as link between the <a> and </a>
tags. A clickjacking page may contain such link to bypass
detection technique that takes HTML <a> tag as a clickable
element for analysis. Listing 1 illustrates the code snippet for
the SVG image with embedded URL link. In this example,
the SVG image embeds the hidden Facebook “like” button.
SVG <a> elements greatly simplify clickjacking attacks as
they can be applied on cross-domain content like iframe.
Let us consider the attack scenario illustrated in Fig. 2. In
this scenario, an iframe is placed underneath “Click Here”
button. These elements are rendered in such a way that “Click
Here” button is positioned exactly above Facebook “like”
button opened in iframe. An attacker now entices the victim
user to click on “Click Here” button to achieve clickjacking.
The current scenario page can be developed using basic
CSS and HTML features. Here, we develop this page using
SVG clipping [14,15]. Listing 2, shows the code in which
Facebook “like” URL is embedded into SVG image. This
SVG image is placed below “Click Here” button. Further-
more, the SVG image can be embedded into the website using
an iframe (shown in Listing 2).
1 <iframe src="facebook . svg" width="200" height="200" >
Listing 2 SVG image embed using iframe
In this attack scenario, an attacker uses a SVG image,
which entices the user to initiate click on Facebook “like"
button. Since current clickjacking prevention techniques
check for invisibility or transparency in a website, this attack

123
You click, I steal: analyzing and detecting click hijacking attacks in web pages
involving SVG images is difficult to detect, as such images
could have any shape that is visible to the user.
3.3 Modifying user interface using SVG filters (a9 )
SVG filters are used to provide visual effects to SVG images.
We observe that certain SVG filters when applied to the
object change it spatially. It may either increase or decrease
the size of the object. Here, the object refers to either SVG
image object or HTML element. This property is very crucial
regarding clickjacking attack in case if the newly increased
area is still a part of regular user interface but does not respond
to mouse events (user clicks). This expanded and the inactive
area can be used to hide the malicious link. When the user
clicks on an increased area of an element, the click invokes
the malicious link.
We tested SVG objects and critical HTML elements like
images, iframes, and buttons by applying SVG filter effects
on them to modify current object UI and test their behav-
ior against user clicks. Listing 3 illustrates an example code
snippet for created SVG effect.
1 <svg>
2 <defs>
3 <f i l t e r id="f1">
4 <feOffset result="offOut" in="SourceGraphic" dx="25" dy="
25" />
5 <feBlend in="SourceGraphic" in2="offOut" mode="normal" />
6 </ f i l t e r >
7 </defs>
8 <rect width="100" height="100" stroke="green" f i l l="
yellow" f i l t e r=" url (#f1 )" />
9 </svg>
Listing 3 SVG code to create drop shadow effect
The example in Listing 3 creates a shadow of a rectan-
gle. The shadow is actually another rectangle produced by
filter effects <feOffset> and <feBlend> in series. We
applied SVG effect on “submit” button of Fig. 5. The shadow
rectangle is a newly formed object as a result of filter effects
that modify web user interface (UI) as shown in Fig. 7. From
a user’s perspective, the “submit” button object with shadow
effect is a single object, but as filter effect produces it, it may
or may not be a single object.
We have observed two scenarios with SVG filter effect:
(i) in the first scenario, the shadow portion of button does
Fig. 7 SVG filter effects modifies web User Interface
not respond to user clicks, i.e., mouse events but still is
part of the object; (ii) in the second scenario, it responds
to mouse events, i.e., the dummy shadow button works like
original button. This technique hides the malicious links on
the dummy object created by filter effect. The link can be
made more sophisticated by switching control between two
objects (original and dummy).
3.3.1 Understanding the attack
Figure 5 depicts an attack scenario in which the user visu-
alizes a fake pop-up. An attacker wants the user to fill all
the details and then click on the “submit” button or click on
“skip this” link. Using this scenario and SVG filter effects,
we have created two clickjacking attacks, which steal user
click when user click “submit” button or even when the user
does not click “submit” button.
Figure 7 illustrates a more expanded version of our first
attack scenario shown in Fig. 5. In this scenario, the attack
is successful only when the user clicks the desired portion
of “submit” button. Here, we applied morphological filters
dilation effect on “submit” button, which increases a size of
object spatially and modifies current web user interface. The
extra space added by filter dilation extends all visual bound-
aries of the original object except the response to user events.
Hence, the user cannot differentiate the object as two differ-
ent entities. The region enclosed by the dotted rectangle is
original object, whereas the solid line rectangle is an enlarged
version. Underneath this extra space, we place a Facebook
“like” button, which is not visible to the user.
When the user clicks on “submit” button, he initiates a
Facebook “like” button placed underneath enlarged portion
of “submit” button. In this way, an attacker can initiate click-
jacking without completely overlapping an element beneath
the “submit” button. This attack is not detectable by the cur-
rent detection techniques, as the attacker page does not use
any CSS property to either hide or overlap elements.
3.4 Enforcing pointer-event property through
SVG (a10 )
Pointer-event property allows control of the behavior
of graphic element before it becomes the target of mouse
events. A victim’s click would then fall through the decoy
and land on the (invisible) target element.
CSS defines eleven pointer-events attributes appli-
cable to HTML and SVG objects, out of which only two apply
to regular HTML content, and other are for SVG objects. The
pointer-events properties applied on HTML object
include auto, none. The value auto is referred to when
the pointer-event value is not specified and implies a regular
behavior of clickable element on mouse events. Pointer-
event property none is used to disable the target element
123

Fig. 8 Illustration of the fill and stroke property applied on SVG-based
“submit” button
from responding to mouse events like click, state and cur-
sor actions, etc. In the past, the authors have presented the
use of pointer-events applied on HTML elements to
invoke clickjacking attacks. Here, we present new methods
of using pointer-events by applying its properties on
SVG graphics objects.
SVG graphics objects can also use eight
pointer-events properties. For example, SVG defines
each object with pointer-events property as fill
and stroke where fill refers to interior part of object and
stroke refers to edges. Pointer-events on the SVG objects
can be handled separately using fill or stroke property. For
example, if we create SVG-based button through the rect-
angle, the button can only be the target of a mouse event
when the pointer is over the interior (i.e., fill) of the button.
In the case of stroke property, the button can only be the
target of a mouse event when the pointer is over the perime-
ter.
Figure 8 illustrates the fill and stroke property applied on
SVG-based “submit” button. We tested several other ways
to make SVG objects either partially or fully transparent to
facilitate clickjacking attacks. We extended this approach to
clickjacking attack technique where an attacker has many
options to disable clickable graphics element, to facilitate
clickjacking attack through SVG. The attackers need to use
SVG-based web pages to steal user clicks. This attack tech-
nique bypasses traditional clickjacking defense technique,
where the pointer-event attribute is statically analyzed against
the pointer-event value equals to none. Hence, we
propose the new way of disabling clickable elements using
SVG-based effects.
3.4.1 Understanding the attack
Attackers use pointer-events properties on SVG-based objects
to form clickjacking attacks. Figure 5 shows the attack sce-
123
A. Saini et al.
nario in which attacker expects user to click on “skip this”
link but the click is still transferred to “submit” button. The
attacker’s page includes two layers created using nested DIV
tag one overlapped on another. A top layer consists of “skip
this” link, while inner layer consists of “submit” button.
The specified clickable (i.e., “skip this”) link is disabled
by using pointer-events as discussed above. When the user
clicks on this link the click responds to its descendant inner
layer, i.e., “submit” button. In this way, an attacker can steal
user click using the pointer-event property of CSS.
3.5 Enforcing script injection using SVG filters (a11 )
SVG images can be Animated using SMIL (Synchronized
Multimedia Integration Language) [16] or Scripting. Gecko
2.0 [17] support animating SVG elements using SMIL.
Animation using SMIL This tool provides certain tags for
animation such as set, animate, animateMotion,
animateColor, animateTransform. The example
of basic animation using SMIL is illustrated in Listing 4.
1 <rect id="anim" x="10" y="10" width="80" height="55" f i l l
="blue" >
2 <set begin="click" attributeName=" f i l l " to="yellow" /> </
rect>
3 / / On clicking rectangle changes color from blue to
yellow .
Listing 4 Animated rectangle button using SMIL: On clicking rectangle
button the color changes from blue to yellow
Animation using ECMAScript ECMAScript (Java Script)
can be embedded into SVG objects or images like HTML tags
either by specifying <script> tag or directly through inline
JavaScript. An example of basic animation using JavaScript
is illustrated in Listing 5.
1 <svg><svg><script>alert (1) </script ></svg>
2 <rect id="r1" x="10" y="10" width="80" height="55"
onclick="getElementbyID( ’ r1 ’) . v i s i b i l i t y="hidden" ; ">
Listing 5 Embedding JavaScript using SVG
Both JavaScript and SMIL can be applied together on
SVG objects to create animation effects. SVG images pro-
vide many possibilities of executing JavaScript in uncommon
ways unknown to typical web developers and XSS (cross-site
scripting) filters [18], and thus bypasses the malicious scripts
from XSS filters. The simple way to execute script in SVG is
<svg><script>alert (1)</script></svg> sim-
ilar to HTML <script> tag.
One major difference between SVG and HTML is that
SVG objects are transformed into a XML file, while
HTML objects are parsed without transformation. The
<script> tag in HTML is parsed by HTML parser, while
a SVG objects are parsed by XML parser. HTML ele-
ments contain plain text information, and hence, the tags like
<script>, <style> are treated as a plain text, while
You click, I steal: analyzing and detecting click hijacking attacks in web pages
in XML documents entities are in canonical representation.
This implies that HTML parser will throw an error to the code
<script>alert(1)</scr ipt>, while XML parser
will execute the alert() method. Many variations can be
created by exploiting this difference to bypass XSS filters.
For example, a script can be injected in a SVG image using
the code:
<svg><script>alert(1)</svg>.
Alternate methods to execute JavaScript SVG can be used
to embed JavaScript code into a web page. We found four
alternative methods of embedding script into web page. In
contrast to commonly used <script> tag, the following
methods can also be used.
– Method 1: JavaScript code can be embedded through
SVG <set> and <animate> tags just like <script>
tag for HTML elements. For example, Listing 6 illustrates
the basic JavaScript code execution using <set> and
<animate> tags.
1 \ t e x t t t{<set attributeName = onMouseOver to = alert (1) >,
<animate xlink : href=" javascript : alert (1)"/>.}
Listing 6 Embed JavaScript using <animate> tag
Generally, <set> and <animate> are used for ani-
mating SVG objects, but they can also be used to
execute malicious scripts. The <set> element sets
alert() method to be executed after mouseOver
event occurs. In the same way, <animate> element
executes JavaScript without user interaction.
– Method 2: The SVG provides container <g> tag used to
group objects. Transformations applied to the <g> ele-
ment are performed on all of its child elements. Attributes
applied are inherited by child elements. The <g> element
executes inline JavaScript which is applied to the entire
group. It allows many possibilities to execute JavaScript
automatically or after specific event is fired. For example,
the sample code snippet for executing JavaScript using
container tag is shown in Listing 7.
1 <svg><g onload=‘‘ alert (1)" , onMouseOut=‘‘ alert (2)">
Listing 7 Embed JavaScript using <g> tag
– Method 3: SVG provides <handler> element with
event attribute that allows to execute JavaScript. Listing 8
shows the code snippet. In this case, the function assigned
to the handler element is specified as the load. The text
content of the handler element executes as a JavaScript
code without any user interaction. Blacklist-based XSS
filter systems are usually not aware of such ways of exe-
cuting code. Thus, they are not capable of detecting this
kind of attacks.
1 <handler event=load>" alert (1)"</handler>
Listing 8 Embed JavaScript using <handler> tag
– Method 4: The <feImage> filter fetches image data
from an external source and provides the pixel data as
output. The <feImage> can be used to fetch a mali-
cious image (SVG image file from attacker page) for
JavaScript execution. Listing 9 illustrates the code snip-
pet to execute JavaScript code using malicious images.
Here, <set> element uses xlink- :href attribute
to point to data:URI, this URI contains another SVG
image that itself may contain malicious JavaScript, which
runs immediately on loading the <feImage> tag. So
this way an attacker can execute malicious JavaScript
embedded into SVG images.
1 <svg xmlns =" http : / / www.w3. org /2000/ svg"
2 xmlns : xlink =" http : / / www.w3. org /1999/ xlink">
3 <feImage >
4 <set attributeName =" xlink : href "to=" data : image /
svg+xml; charset =utf −8; base64 ,
PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53
5 My5vcmcvMjAwMC9zdmciPjxzY3JpcHQ \%2
BYWxlcnQoMSk8L3NjcmlwdD48L3N2Zz4NCg \%3D\%3D"/>
6 </ feImage >
7 </svg >
Listing 9 Embedding JavaScript in images
– Method 5: The SVG <foreignObject> tag allows
you to mix non-SVG content into your page. The included
foreign graphical content is subject to SVG transforma-
tions and composting. JavaScript can be injected through
the <foreignObject> tag to extract sensitive data
such as cookies. Furthermore, it can also be used to
bypass security restrictions enforced by XSSfilters [18].
4 Extracting relevant clickjacking features
We discussed sophisticated clickjacking attacks in Sect. 3 that
are difficult to detect and analyze using existing approaches.
Thus, we need a new robust approach to detect advance
clickjacking attacks. Furthermore, a new method must han-
dle accurately the dynamic features extracted from a web
page and should not require reconfiguration when clickjack-
ing attack exploits a new HTML tag. Our approach relies on
comprehensive dynamic and static analysis of the web pages.
Our model extracts only relevant features from a web page
opened in a browser. A web page consists of HTML tags with
their attributes and values associated with them. In particular,
our relevant features consists of the values assigned to Rele-
vant HTML Tags (RHT), such as, iframes, frame, div,
span, a, input, form, p, button, img, SVG, and other
clickable HTML elements for discovering the symptoms of
clickjacking attack in a website. In addition to that, we are
interested in text or objects that generate a click event when
clicked.
To measure the significance of a feature in detecting click-
jacking, we use the dataset of 1000 web pages susceptible to
123

known clickjacking attack and 1000 legitimate web pages.
We perform an analysis to differentiate the feature values
extracted from these two datasets. After this analysis, we
come out with thirteen relevant features. In particular, the
relevant features extract from a web page characterizes the
normal or hijacked click event. For example, the instantiation
of a hidden and overlapped link, the redirection of the hidden
mouse cursor, or the activation of the malicious script with
a hijacked click, etc.) occurring during the interpretation of
JavaScript and HTML code of a web page. In the following,
we describe the relevant features used by our model.
The Features of our proposed approach can be categorized
as:
– Visual context of the web page.
– Overlays in the web page.
– Mouse pointer-based features.
– HTML and JavaScript-based features.
– Domain and Redirection Features.
In following subsections, we discuss each category in detail.
4.1 Visual context of the web page
We include five features that characterize this kind of activity.
Feature 1: Visibility of the web page elements. We record
the visibility of all HTML tags and elements present in a
web page. The feature value can be obtained by checking
CSS visibility property that is set to hidden.
Feature 2: Opacity of the web page elements. We record
the opacity value of every page elements present on a
web page. A web page can use CSS opacity value to
0 to hide page elements. Moreover, smart attacker some-
times partially hides the elements to avoid detection. This
can be achieved by setting opacity value in range of
.2 to .1. The aim is that an element is barely visible and
not visually perceptible by the user.
Feature 3: Clipping with SVG. We record the SVG tags
along with their values used for clipping a region of the
web page. The clickjacking page can be created by join-
ing the clipped area of the web pages (discussed in Sect. 3,
Attack a8 ). In contrast, the legitimate website does not
contain the clipped elements from different domains. We
identify the clippath [13] to record the clipping region
in a web page.
Feature 4: Manipulation of UI Elements. We record
parameters involved in the UI manipulation. We achieve
this by increasing the clickable area and hiding the link
below the increased clickable region (discussed in Sect. 3,
Attack a9 ).
Feature 5: Moving web page elements. We record the
web page elements that move with a mouse cursor. The
123
A. Saini et al.
action causes the timing attacks. For example, an attacker
could move the target element (via CSS position prop-
erties) on top of a decoy button shortly after the victim
hovers the cursor over the decoy, in anticipation of the
click. We identify the moving elements in a web page with
two steps as follows: (i) first we record the coordinates
of all the clickable elements present on the web page; (ii)
then, we find the elements whose position changes after
mouse movement and user click.
4.2 Overlays features in web pages
We extract a feature that is indicative of the overlay and over-
lapping web page elements.
Feature 6: Overlapping. The overlapped elements can be
used by an attacker to confuse victim user, and circumvent
detection tool. Some detection tools check only hidden/trans-
parent properties as their primary features in detecting the
clickjacking attack. But an attacker can use overlays to over-
lap webpage elements underneath other items. We record the
overlapped elements that are clickable.
4.3 Mouse pointer-based features
We extract the following feature to record the cursor and
pointer characteristics.
Feature 7: Hidden mouse pointer. We monitor the CSS
cursor:none property after loading of the web page to
discover a hidden mouse cursor. Also, we also monitor the
APIs used in JavaScript code of web page that program-
matically hide genuine cursor and draw a fake cursor on a
web page. Another variant of cursor manipulation involves
the duplicating the cursor. The attacker takes following two
steps to execute clickjacking attack:
– First, the attacker does not hide the genuine cursor;
instead, he positions a transparent cursor look alike image
on top of a genuine cursor, which a victim user does not
notice.
– In the second step, the attacker draws a fake cursor on a
web page, which when points to the button, the genuine
cursor points to the target element.
We record this attack activity by monitoring the JavaScript
code that defines the image movement with the mouse move-
ment.
4.4 HTML and JavaScript-based features
A click might result in an execution of JavaScript code
embedded into a web page. Such scripts can result in click-
jacking or serious attacks such as XSS attacks [19]. We
You click, I steal: analyzing and detecting click hijacking attacks in web pages
include four features that characterize HTML and JavaScript
properties.
Feature 8: Hidden links with pointer-events. We monitor
CSS pointer-events property to explore visually hid-
den target elements (discussed in Sects. 2 and 3, attacks a5
and a10 ). We extract this feature in a two-step fashion: (i) first,
we extract all the overlapped elements (fully or partially)
from web page through x and y coordinates of x-axis,
y-axis and checking CSS z-index value [12]; (ii) in
next step, we check if CSS pointer- event property is
set to auto and none value.
Feature 9: Event bubbling and capturing. We monitor the
web page elements that are nested within each other. For
example, DIV tags can be nested to initiate event bubbling
and event capturing [20] on the target element. An attacker
can make target element transparent by wrapping it in one
of the nested DIV container by setting CSS opacity value to
zero, and keep other DIV contents visible. In this, the handler
of the parent (top DIV) works even if the child (nested DIV)
is clicked and vice versa.
A hidden link wrapped into nested DIV may send some
forge request to server leading to CSRF attack [21]. This new
set of clickjacking attack is called bubblejacking attack. We
record this activity by collecting information on nesting of
DIV tags. In addition, we also record parent and child DIV
tags from the nested DIV tags.
Feature 10: Stacking elements with z-index. Every browser
supports HTML/CSS styling attributes that not only allows
an attacker to visually hide the target element, but also allows
it to route mouse events to it. For example, an attacker can
make the target element transparent by wrapping it in a DIV
container, and set CSS opacity value to zero. It then creates
a stacking of overlapped elements under the target element
by using a lower CSS z-index [12] and lures victim user to
click on stacked elements. When victim user clicks on an
upper element, the click also routes to the lower element(s),
which may initiate the hidden malicious event or click on
link hidden underneath the lower elements.
Feature 11: Script injection with SVG. SVG tags allow an
alternative way to inject script into the website (discussed in
Sect. 3). In our analysis, we record all these alternative script
tags.
4.5 Domain and redirection
Sometimes, an attacker master page is not vulnerable to click-
jacking attack, but a page may contain a link that redirects
master page to new page in (same or different domain), which
indeed is vulnerable to XSS [19], phishing [22], CSRF [21],
etc. For example, open redirects found on attacker master
page are liable to be exploited by phishers to create a link to
their site. We extract the following two features related to the
page redirection.
Feature 12: Redirection to same domain. This feature indi-
cates that on applying click event on a web page, a page
redirects to another page in the same domain. The new
page there has no hyperlink to visit the previously suspected
domain.
Feature 13: Redirection to other domain. This feature
indicates that on applying click event on a web page, a
page redirects to the new page in the different domain (or
third-party domain). The new page contains different SSL
signature attributes compared to the previous page.
4.6 Discussion
We use the thirteen features that are introduced in this section
to characterize the properties of a web page. It gives us a
comprehensive picture of the clickjacking behavior exhibited
in a web page. We classify our features into two categories:
(i) static features and (ii) dynamic features.
The values for static features can be obtained by analyzing
the source code of the web page. These include following
features.
– The features from visual context category that is char-
acterizing the visibility, opacity of website elements and
clipped content of a web page (features 1, 2, and 3).
– One feature from the mouse pointer category, which char-
acterizes the mouse cursor on a website (Feature 7).
– The features from HTML and JavaScript-based category
(features 8, 9, 10, and 11).
We extract the values of dynamic features after a web page
opens in the browser window. Once the page is opened in the
browser window, based on the position and behavior of the
rendered elements, we obtain the values of dynamic features.
These include following features.
– Two features from visual context category features that
characterize the movement and user-interface manipula-
tion in websites (features 4 and 5).
– The overlay feature (Feature 6) that characterizes the
overlapping of elements.
– The domain and redirection features (features 12 and 13).
In our model, we define nine behavioral properties to
encapsulate characteristics of a web page. We group some of
the features to represent one behavioral property. For exam-
ple, features 1 and 2 define the visibility of elements on the
website. Our model uses different HTML and CSS proper-
ties to set the visibility of an element. So we combine these
two features to create one description, which represents the
visual context of an element (denoted as φ1 ). Table 3 shows
nine behavioral properties derived from the feature set used
in our model. For example, in the fifth row, we combine the
123
 A. Saini et al.

Table 3 List of behavior expressed from extracted relevant features set of final states. Figure 9 shows the state transition diagram
Notation Features Description of the FSA model that contains seventeen states from S0 to
S16 , where S0 being the initial state. We consider request and
φ1 Features 1 and 2 Describes the visibility of web response that are of interest in respect of our model. Table 4
page elements
enumerates the requests. If a page open in the browser from
φ2 Feature 6 Check overlapping of elements on
initial URL does not contain any hidden clickable element
a web page
(request α0), then the next state is considered as S1 . However,
φ3 Feature 7 Check if a web page contains
hidden/duplicate mouse cursor if the opened page contains non-hidden clickable elements,
φ4 Feature 8 Check if elements on web page is and on applying click on such clickable element downloads
using pointer-event a new page that contains hidden clickable elements (request
property α1), then the next state is considered as S2 . F is the final
φ5 Features 4 and 5 Check if any modification in user state which belongs to S3 , S4 , . . . , S16 . Here, a state implies a
interface on moving mouse web page rendered by a browser. To avoid the state explosion
cursor or clicking
problem, we consider the behavior observed from the content
φ6 Feature 3 Check for clipped web page
of a web page as a single state.
elements incorporate by SVG
filters We denote inputs of the FSA as interesting requests
φ7 Feature 11 Check if <script> tag (denoted as α0 and α1 ) and corresponding responses (denoted
(including alternative SVG script as β0 –β15 ), which are discussed in detail in Table 5. A
tags) is used with any hidden website is clickjacking or legitimate, if it can reach from
element
an initial state to one of the final states. Some of the final
φ8 Features 9 and 10 Check for nested and stacked web states are legitimate (S3 , S12 , S13 , S15 ), whereas others are
page elements
producing clickjacking attacks (S4 , S5 , S6 , S7 , S8 , S9 , S10
φ9 Features 12 and 13 Check if clickable element on click
redirects page to same or other , S11 , S14 , S16 ). Figure 9 presents the state diagram of our
domain FSA after removal of infeasible states.
A state transition occurs for a given request and the
corresponding response. A transition label as the (request,
response) pair in the figure. For example, [α1 , β1 ] implies
features to represent behavior, which is user-interface modi-
that given the request α1 , the response is β1 . We summarize
fication behavior. However, in the fourth row, we use feature
interesting responses in Table 5.
itself as a behavioral property because this is the only way to
We observe 61 possible responses concerning the nine
achieve the corresponding functionality.
behavioral features discussed in Table 3. However, in Fig. 9,
we only use sixteen interesting responses (denoted as
β0 −β15 ). The rest other combinations are either infeasible
5 Behavior model and testing or not related to attack cases, and we do not include these
in the FSA. Table 5 illustrates sixteen interesting response
In this section, we first introduce the proposed behavior states, the symbol ! represents that a feature is not present in
model using Finite State Automaton (FSA) in Sect. 5.1. We a web page. For example, the first row (β0 response state)
then define some heuristics criteria to verify clickjacking represents that no relevant feature is present on a web page.
and legitimate sites in Sects. 5.2 and 5.3. Section 5.4 shows The third row (β2 response state) represents that following
a relationship between some clickjacking attack types and features are present in a web page (i.e., hidden elements are
heuristics. present, overlapping elements are present, hidden/duplicate
mouse cursor is not present, pointer-event property is asso-
5.1 Program behavior model ciated with elements, moving elements are not present, no
clipping using SVG filters, no script embedded into hidden
We use FSA [23] notion to describe a program’s behavior. We element, no nested elements, and there is response redirec-
develop it based on the static and dynamic features identified tion to other domain). So, the β2 state represents a behavior,
in Sect. 4. We model FSA on the basis of known symptoms which may result in the attacks such as a5 , a6 (discussed in
of clickjacking and legitimate websites from a request (user Sect. 2).
click) and the response after clicking on suspected clickable The model provides us the flexibility to detect clickjacking
elements present on a website. websites that might steal user clicks. A clickjacking website
The FSA is denoted by , S, S0 , δ, F, where  is a finite might follow only a subset of the FSA. Moreover, the model
set of inputs, S is a non-empty but finite set of states, S0 ⊂ S differentiates a clickjacking and legitimate website. To test
is the initial state, δ is the state transition function, and F is a the effectiveness of our FSA, we define several heuristics

123
You click, I steal: analyzing and detecting click hijacking attacks in web pages

Fig. 9 State diagram

representing behaviors of
clickjacking and legitimate
websites

Table 4 Relevant requests applied on the websites Table 5 Relevant responses gathered from the dataset websites
Request ID Description Response ID Relevant response states

α0 Web page open from initial URL in β0 !(φ1 φ2 φ3 φ4 φ5 φ6 φ7 φ8 φ9 )

browser window β1 (φ1 ) + !(φ2 φ3 φ4 φ5 φ6 φ7 φ8 φ9 )
α1 Clicking of suspected clickable element β2 (φ1 φ2 φ4 φ9 ) + !(φ3 φ5 φ6 φ7 φ8 )
on website
β3 (φ1 φ2 φ3 φ9 ) + !(φ4 φ5 φ6 φ7 φ8 )
β4 (φ1 φ3 φ9 ) + !(φ2 φ4 φ5 φ6 φ7 φ8 )
β5 (φ1 φ4 φ8 φ9 ) + !(φ2 φ3 φ5 φ6 φ7 )
based on the related work, and proof-of-concept for click- β6 (φ1 φ4 φ7 ) + !(φ2 φ3 φ5 φ6 φ8 )
jacking attack to identify whether a website is clickjacking
β7 (φ1 φ6 φ9 ) + !(φ2 φ3 φ4 φ5 φ7 φ8 )
or legitimate. We develop request and response heuristics in
β8 (φ1 φ5 φ9 ) + !(φ2 φ3 φ4 φ6 φ7 φ8 )
the next section.
β9 (φ1 φ7 ) + !(φ2 φ3 φ4 φ5 φ6 φ8 φ9 )
β10 (φ2 φ4 φ9 ) + !(φ1 φ3 φ5 φ6 φ7 φ8 )
5.2 Request heuristics
β11 (φ2 φ3 φ4 φ9 ) + !(φ1 φ5 φ6 φ7 φ8 )
β12 (φ1 φ8 ) + !(φ2 φ3 φ4 φ5 φ6 φ7 φ9 )
We developed the set of heuristics based on related work,
β13 (φ1 ) + !(φ2 φ3 φ4 φ5 φ6 φ7 φ8 φ9 )
primarily [3,10,24,25]. Our approach utilizes ad hoc heuris-
β14 (φ8 ) + !(φ1 φ2 φ3 φ4 φ5 φ6 φ7 φ9 )
tics to determine the class of an attack when particular types
of click stealing events are detected. The selection of which β15 (φ2 ) + !(φ1 φ3 φ4 φ5 φ6 φ7 φ8 φ9 )
heuristics to apply as well as how each heuristic influence by ! ->(not present), + -> (and operator)
the type and parameters of the event identified. Our system
currently incorporates heuristics for existing, and SVG-based
advanced clickjacking attack classes defined in Sect. 3. Our position exactly above the target element on the hidden
heuristics are as follows: iframe. Many clickjacking attacks use these characteris-
tics to steal user clicks. A legitimate website may have
– Hidden iframes/DIVs (H1) This heuristic criterion hidden elements, but they do not overlap with other items.
checks whether a web page contains hidden clickable ele- This observation motivates us to define a heuristic based
ments or overlapped on hidden iframes. We use features on the presence of overlapped and hidden elements.
1, 2, and 7 to implement these heuristics. This heuris- – Hidden pointers (H2) This heuristic criterion is satis-
tic returns clickjacking if it finds the clickable element fied if a web page has the duplicate mouse pointer and a

123

hidden clickable elements. The duplicate mouse cursor is
aligned with original one either hidden or transparent in
such a way that when the user points the duplicate cursor
on the clickable element on attacker page, the original
cursor points to target element on the hidden iframe. A
legitimate website is not likely to contain hidden mouse
cursor pointing to the hidden element. In contrast, a click-
jacking website may contain a duplicate mouse cursor,
pointing to hidden elements. Application of this heuristic
requires obtaining values from features 1, 2, and 6.
– Pointer-events (H3) This heuristic criterion checks
whether the clickable elements on a web page are
responding to mouse/touch events and whether or not
the cursor is visible. A clickjacking page often uses this
feature to execute malicious scripts on a victim browser.
This heuristic requires obtaining values from features 1,
2, and 8.
– Nested Divs (H4) This heuristic criterion is satisfied if
a web page contains nested DIV tags either overlapping
on each other or hidden. A malicious web page may use
nested DIV tags to initiate malicious link through event
bubbling and capturing [20]. Application of this heuristic
requires obtaining values from features 1, 2, 9, and 10.
– Visible but overlapped elements (H5) Clickjacking
websites sometimes do not hide iframes or clickable ele-
ments, instead the element overlaps on a target element
in an unnoticeable manner. We develop a heuristics that
checks overlapping of clickable elements as well as click
transfer that is achieved using pointer-event. It cre-
ates an attack scenario similar to the one discussed in
heuristic H3. However, in this scenario, the elements are
visible. Besides, heuristic also checks the response of a
click, i.e., on clicking the element the resultant page is
in the same domain or different domain. Application of
this heuristic requires obtaining values from features 6,
7, and 10.
– Moving elements (H6) Clickjacking website sometimes
contain hidden elements that move with a mouse cur-
sor. Using this functionality, wherever a user clicks, an
attacker can capture it. We developed a heuristics that
for any hidden moving button inside iframe, or DIV
containers present on a web page. A clickjacking website
may use this container to hide a target button. Appli-
cation of this heuristic requires obtaining values from
features 1, 2, and 5.
– Other hidden elements (H7) Clickjacking websites
rarely contain hidden elements other than iframes or DIV.
On the other hand, a legitimate website may contain other
hidden elements for website functionality. This heuristics
checks whether a hidden element present on the website
is iframe/DIV or any other element. Application of this
heuristic requires obtaining values from features 1, and
2.
123
A. Saini et al.
5.3 Response heuristics
– Hidden script (H8) This heuristic criterion checks
whether a clickable element invokes any script on click-
ing. A legitimate page may contain scripts, but these
may not hide behind the clickable element. This heuris-
tic returns clickjacking if it finds the clickable element
hiding any script. Many clickjacking attacks use this char-
acteristic to initiate XSS or CSFR attacks on websites. We
use features 1, 2, and 11 to implement this heuristic.
– Domain redirection (H9) This heuristic criterion checks,
after clicking a clickable element, whether a web page
generates any traffic from other domain. We use features
12 and 13 to implement this heuristic. This heuristic is
useful to detect clickjacking in websites that result in the
response from the domain other that the current work-
ing domain. However, this feature may also be present
in legitimate websites, so we apply this heuristic in con-
junction with other heuristics to detect clickjacking.
5.4 Testing heuristics using real example
We now apply these heuristics (H 1−H 9) on a real example
scenario to identify the clickjacking behavior from legitimate
behavior. To demonstrate the effectiveness of our proposed
heuristics, we consider a very typical attack scenario as
shown in Fig. 5, which hooks user into filling the form, and
clicking the “submit” button. In addition, we take most com-
mon attack target in clickjacking, such as Facebook “like”
or “post” button. A malicious page contains these buttons
such that the victim does not notice their presence.
We assume that to trigger a Facebook “like” or “post”
button, a user may require one or more clicks. Note that
our discussion is applicable for other attack scenarios, which
involves clicking of web page elements such as web form
“submit” button, Twitter “post” button, “login” and “regis-
tration” buttons or other clickable elements. Furthermore, we
assume that on clicking an element on the attacker’s website,
the response page may or may not be in the same domain. It
may redirect to other domain also. For a given example shown
in Fig. 5, we consider two user behaviors: (i) in first scenario,
user inputs information, and then click on “submit” button;
(ii) in second scenario, user does not input information, and
click on “skip this” link. Using these two user behaviors, we
derive twelve test case scenarios.
Table 6 shows the test scenarios (T s1 −T s12 ), and corre-
sponding descriptions representing the functionalities. For
example, the first row describes test case scenario in which
the suspected website gathers information from the user, and
when the user clicks on the “submit” button, it generates a
hidden request unknown to the user. Moreover, the suspected
website contains hidden and overlapped elements. We denote
You click, I steal: analyzing and detecting click hijacking attacks in web pages

Table 6 Test scenarios and corresponding behavior, state sequence and heuristics
Test case Suspicious behavior Click event State sequence Heuristics

T s1 (input) Hidden iframes/DIVs overlapped with “submit” button “submit” button S0 , S2 , S4 H1, H9
T s2 (no input) Hidden iframes/DIVs overlapped with “submit” button “skip this” link S0 , S2 , S3 –
T s3 (input) Hidden moving user interface “submit” button S0 , S2 , S9 H6
T s4 (no input) Overlapped links with pointer-events enabled “submit” button S0 , S1 , S10 H3, H5, H9
T s5 (input) Overlapped links with pointer-events enabled “skip this” link S0 , S1 , S10 H3, H5, H9
T s6 (no input) Hidden/duplicate mouse cursor “submit” button S0 , S2 , S5 H2, H9
T s7 (input) Hidden/duplicate mouse cursor “skip this” link S0 , S2 , S5 H2, H9
T s8 (no input) Initiate script through hidden links “submit” button S0 , S2 , S6 H1, H8
S0 , S2 , S14 H1, H8
T s9 (input) Initiate script through hidden links “skip this” link S0 , S2 , S6 H1, H8
S0 , S2 , S14 H1, H8
T s10 (no input) Manipulates user interface “submit” button link S0 , S2 , S7 H4, H9
S0 , S2 , S8 H4, H9
S0 , S2 , S9 H4, H9
S0 , S2 , S14 H4, H9
S0 , S2 , S15 –
T s11 (input) Manipulates user interface “skip this” S0 , S2 , S7 H4, H9
S0 , S2 , S8 H4, H9
S0 , S2 , S9 H4, H9
S0 , S2 , S14 H4, H9
S0 , S2 , S15 –
T s12 (no input) Hidden elements other than iframes/DIVs “submit” button S0 , S2 , S15 H7

this testing scenario as T s1 (input information). However,
a test case scenario T s2 in the second row describes a sce-
nario in which user does not enter any information in “input”
field. Instead user clicks on “skip this” link. Also, in this
case, a suspected website contains hidden and overlapped
elements.
Table 6 shows the mapping of test scenarios, state
sequences (illustrated in Fig. 9), and the corresponding
heuristics required to capture this behavior. We observe that
using state and heuristics allows us to distinguish every
clickjacking website from legitimate websites. For example,
in the second row, the user input information collection in
suspected website followed by redirecting a victim to a legit-
imate website containing no form results in the state sequence
S0 , S1 , S10 .
We observe that using state and request-/response-based
heuristics allows us to distinguish all the suspected websites
(designed to achieve clickjacking) from legitimate web-
sites. For example, in the first row, the test scenario T S1
with input information has hidden iframes or DIV con-
tainer. This test scenario follows state sequence S0 , S2 , S4
with S4 as final state. This state sequence represents a
scenario in which a hidden iframe is beneath “submit”
button. The “submit” button also has pointer-event
property, which applies click on underneath element. When
the user applies a click to the “submit” button, it ini-
tiates hidden underneath clickable element. To test more
efficiently, we match this test scenario with our proposed
heuristics. We observe that the scenario satisfies request
heuristic H 1 and response heuristic H 9 for detecting an
attack.
Now, let us consider another test scenario T s12 . In this
scenario, we assume that a web page has hidden elements
but no hidden iframes or DIV. The test scenario follows the
state sequence S0 , S2 , S15 with S15 as final state. This state
sequence represents a scenario in which a hidden element
(not iframes and DIVs) may or may overlap with other ele-
ments. Moreover, in this scenario, the click event does not
initiate a hidden link, or redirect to other domain. We observe
that this scenario satisfies the request heuristics H 7, which
apparently proves that this scenario is legitimate. In sum-
mary, our state sequences derived from FSA, in conjunction
with heuristics H 7, can detect a website as clickjacking or
legitimate.
5.5 Relation between attacks and heuristics
In this section, we describe how request- and response-
based heuristics can be applied to discover clickjacking.
Table 7 illustrates the summary of some example attack

123
 A. Saini et al.

Table 7 Clickjacking attack

Attack ID Attack type Heuristic
type and corresponding
heuristics applied to detect an a1 Click stealing through visual perception H1 ∨ H2 ∨ H3 ∨ H9
attack
a2 Click stealing through keystrokes H1 ∨ H5 ∨ H9
a3 Click stealing through pointer H1 ∨ H2 ∨ H9
a4 Click stealing through CSS (stacking elements) H4 ∨ H5
a5 Click stealing through CSS (pointer-event) H1 ∨ H3 ∨ H5 ∨ H9
a6 click stealing through element movement H1∨ H6 ∨ H7 ∨ H9
a7 Violating display integrity using SVG filters H1 ∨ H2 ∨ H3 ∨ H9
a8 Clickjacking with SVG clipping and masking H1∨ H3 ∨ H5 ∨ H9
a9 Modifying user interface using SVG filters H1 ∨ H3 ∨ H5 ∨ H9
a10 Enforcing pointer-event property through SVG H3 ∨ H5 ∨ H9
a11 Enforcing script injection using SVG filters H1 ∨ H8
∨ -> (or operator)

Table 8 Comparison of
Detection techniques Attack types
clickjacking attacks and
prevention techniques a1 a2 a3 a4 a5 a6 a7 a8 a9 a10 a11
√
Frame busting [26] × × × × × × × × × ×
√
HTTP header [27] × × × × × × × × × ×
√ √ √ √ √ √
Proclick [28] × × × × ×
√
HEAD element [29] × × × × × × × × × ×
√ √
Confirmation/randomization [10] × × × × × × × × ×
√ √
Clicksafe [30] × × × × × × × × ×
√ √
Blocking of mouse click [31] × × × × × × × × ×
√ √
Detection of overlapping clickable element [24] × × × × × × × × ×
√ √ √ √ √ √
Incontext [10] × × × × ×
√ √ √ √
Disabling JavaScript [32] × × × × × × ×
√
Nepomnyashy et al. [27] × × × × × × × × × ×
√ √ √ √ √ √
NoScript (ClearClick) [33] × × × × ×
√ √ √ √ √ √
ClickIDS [24] × × × × ×
√ √ √ √ √ √ √ √ √ √ √
Our approach

types and corresponding heuristics (request and response).
Section 3 discusses the detailed description of these attack
types. Our heuristics can detect some advanced clickjack-
ing attacks that are created using SVG images and filters.
For example, SVG uses an alternative way to embed script
into websites, which may inject malicious script on the vic-
tim machine. This attack may result in XSS attack through
clickjacking.
The detection techniques for checking malicious script
only check scripts that use HTML script tag. This lim-
itation led our new SVG-based advanced attacks to bypass
detection techniques. We have denoted this attack type as a11 .
Our proposed model can detect SVG-based scripting tags to
restrict any script injection on a victim machine. The request
heuristic H 1 and response heuristic H 8 allow discovering
the attack.
5.6 Comparing our approach with other clickjacking
detection techniques
Table 8 shows a mapping between clickjacking attack types
and defense techniques discussed in the literature. We com-
pare our approach with other clickjacking defense techniques
on attack types (a1 –a11 ) mentioned in Sects. 2 and 3.
The typical attack type for creating clickjacking uses an
iframe, which is nearly or entirely invisible. Table 8 illus-
trates basic clickjacking attack type as a1 . It is evident
that disabling JavaScript can solve most of the clickjacking
attack types [10,25], although it negatively affects the access
to available functionalities. Also, the basic frame busting,
HTTP Header or HEAD-based solutions are not adequate
when dealing with clickjacking attacks. We discuss new
advanced and alternate methods of producing clickjacking
attacks in Sect. 3. Our proposed attacks use SVG filter tech-

123
You click, I steal: analyzing and detecting click hijacking attacks in web pages
niques, which is not detectable or addressed by any of the
previous methods. In contrast, the proposed approach (men-
tioned in Sect. 5) can detect advanced attack types, without
affecting user experience.
6 Model implementation
In this section, we describe the implementation details of our
approach.
– The first module is called query pattern (QP) module.
It consists of two sub-modules: (i) feature extraction
module which we call the EXTRACTOR module. We
implement it as a browser plug-in to extract relevant fea-
tures from a web page and; (ii) QP module generates
query pattern from the relevant features.
– The second module is signature generation unit, which
generates the attack signatures for clickjacking attacks.
– The third module is C-CHECK parser, which parses
query pattern to check symptoms of clickjacking attacks.
– The fourth module is Click inspector, which categorizes
the websites under consideration into clickjacking or
legitimate websites based on the heuristics defined in
Sect. 5.
We implement an extension, which installs on a Firefox
browser (any version). For a web page, EXTRACTOR mod-
ule fetches all the features (discussed in Sect. 5) with the
attribute values. QP module then generates the query pattern,
which is, then, input to C-CHECK parser module. C-CHECK
parses all the query patterns by checking them with attack
signatures. The final output is given to click inspector, which
generates an appropriate alert for a website based on heuristic
rules. Following is a description of each module.
6.1 The QP module
The QP module has EXTRACTOR plug-in which extracts the
relevant features with values from the website. The web pages
that our system scans for analysis consists of HTML tags,
but we show interest in the Relevant HTML Tags (RHTs).
We identify the values associated with these RHT using
EXTRACTOR (plug-in) installed on the browser. The reason
of using browser extension is that it can get access to browser
internals, such as, Document Object Model (DOM) [34],
which stores entire information of a website opened in the
browser.
6.1.1 Attributes extraction technique
Every element in a web page is represented in the form of a
DOM tree, which can be read or captured using JavaScript
APIs. The DOM tree stores all elements, such as input
fields, images, paragraphs, frames, links of a web page. In a
DOM tree, the element and attribute nodes are represented
as HTML tag and parameter values respectively. RHT val-
ues are extracted directly using JavaScript, or JQuery [35]
APIs from the source code of a website. We encode RHT as
a bit vector in which, it represents a given feature value 0(1)
representing absence (presence) of the feature.
The values for features 1, 2, 7, 8, and 10 are extracted
from the respective CSS styles associated with a given RHT.
To check for the presence of values Feature 5, we generate
automatic clicks at different positions on the page and notice
changes in invisible or barely visible elements coordinates
after every click. We use JavaScript APIs to generate clicks
on element coordinates. We obtain the values of Feature 6
by extracting coordinates (top, left, right, bottom), and com-
paring it with the contact details of all other elements. In
this way, we can determine two overlapping elements on a
website. The values for features 3 and 11 obtain from source
code enclosed within SVG tag.
6.1.2 QP module
The QP module contains the implementation of the logic
and description of symptoms of the clickjacking attack. Our
approach compares each web page characteristics against
attack signatures. The obtained behavior (defined in Table 3)
derived from feature values is processed to build QP, i.e.,
QP → {φ1 , φ2 , . . . , φ12 }, , where φ1 . . . φ12 . Each QP rep-
resents the set of behavior discussed in Table 3. The parser
unit processes the input from QP, and then, it checks against
the attack signatures for detecting clickjacking attacks.
6.2 Signature generation unit
This unit comprises of a set of known attack signatures
derived from websites susceptible to clickjacking attack.
More precisely, these signatures build from the relevant fea-
tures that checks if the conditions required for a successful
clickjacking attack satisfies. In our experience, the informa-
tion collected with the features in our clickjacking attack
classes is often sufficient to generate high-quality signatures
for our detection model. The unit builds the attack signature
database for all variants of clickjacking attacks.
6.2.1 Signature database
In this model, the attack signatures are created using rele-
vant feature values extracted from various attack classes. We
use the dataset of 1000 known attack web pages containing
symptoms of the clickjacking attack. Our signature database
consists of the feature values obtained from these test sample
web pages. Our model checks every new web page against
123

the signatures for inspecting characteristics of the clickjack-
ing attack. In particular, the attack signature provides the
description for all RHTs that we have selected for our model
and represents the possibility of an attack. Each attack class
has the separate signature, which contains the suitable dis-
criminating attribute values for separating the suspicious and
attack web pages from the legitimate web pages. To maintain
and enrich the signature dataset, we must carefully look new
suspicious properties from the new clickjacking attack and
extract relevant features from these properties.
7 Experimental evaluation
To test the effectiveness of our solution, we first build
the valid signatures from various instances of clickjacking
attacks. Thus, the base of our solution lies in creating accu-
rate attack signatures for RHTs. Our method raises an alert
if properties of HTML or SVG tags present in a web page
resembles with the features of clickjacking web page.
We conduct four experiments to assess the performance of
our proposed method. In the first experiment, we examine the
symptoms of basic clickjacking attack features in web pages.
In the second experiment, we consider advanced clickjack-
ing attack features in web pages. In the third experiment,
we examine the effectiveness of our proposed features in an
adaptation of detecting clickjacking attacks on websites. In
the fourth experiment, we evaluate the impact of clickjack-
ing attack in different categories of web domains. We use
two metrics to evaluate each approach:
– True positives (correctly labeling a clickjacking site as
clickjacking, higher is better).
– False positives (incorrectly labeling a legitimate site as
clickjacking, lower is better).
7.1 Dataset preparation
We first created 1000 web pages susceptible to clickjack-
ing attack. We design these web pages by knowledge gained
from the literature, basic clickjacking attacks described in the
literature, attack classes outlined in Sect. 2.1, and newly iden-
tified attack techniques outlined in Sect. 3. In all cases, our
detection system correctly raises clickjacking attacks alert.
We also prepare a dataset of 1000 legitimate pages consists
of popular web pages that do not contain any advertisement,
pop-ups, hidden iframes, and transparent elements.
Furthermore, we collect thousands of real-world websites.
We combine different sources to obtained list of URLs that an
ordinary user experiences in his everyday web browsing. We
choose 78,000 legitimate websites that are representative of
what an average user may encounter in his/her everyday web
browsing experience. In particular, we include the top 20,000
123
A. Saini et al.
most popular websites published by Alexa [36], and 40,000
websites result from the ad hoc queries on popular search
engines. In particular, we query Google and Yahoo with var-
ious combinations of terms such as porn, advertisement, free
download, free iPhone/iPod, torrent, warez, online game, free
music, and free movies. We ran each query in different lan-
guages including English, Chinese, Urdu, German, Russian,
and Turkish. We download top 500 URL names from each
query to collect around 40,000 URL lists. Also, to increase
the chances of finding attacks, we also included sources that
were more likely to contain malicious content. We take down
10,000 websites from malwaredomains.com [37], and 8000
websites of phishing URLs published by PhishTank [38].
We execute our experiments simultaneously on five Win-
dows virtual machines for 20 days. We visit 78,000 unique
domain web pages, out of which around 11.64% of pages are
unreachable or not found. The remaining 68,920 web pages
scanned with our proposed system. We use Chrome (versions
v18.0.1025.168 and v30.0.1599.66) and Firefox (versions
14.0, 20.0 and 24.0) browsers on five virtual machines. The
reason for using different browser and versions is to show that
these attacks are browser agnostic. The source code of new
clickjacking attacks and EXTRACTOR module is available
on https://github.com/anil6983/clickjacking.
7.2 Experiment 1: evaluation of clickjacking features
In this experiment, we examine the symptoms of clickjack-
ing attacks by evaluating proposed prominent features in the
websites collected by our data set. The goal of this experi-
ment was to understand the impact or nature of clickjacking
attack in these categories. We use an EXTRACTOR (browser
extension) that we developed to gather values associated with
prominent features. EXTRACTOR takes a list of URLs, loads
each URL into a web browser and store feature values in
MYSQL database for analysis.
Table 9 illustrates the presence of relevant features or
attributes in the visited websites. We observe that framebust-
ing protects only 33% of Alexa top 20,000 web pages. Other
clickjacking protection techniques protect only 9.8% of web
pages. Thus, server-side security is low, and an attacker can
frame these pages to execute the clickjacking attack. We
found that 34.63% hidden clickable elements, 7.9% hid-
den iframes/frames, and 2.1% hidden DIVs elements were
present in the total visited pages including Alexa top 20,000.
These results show that the web pages from different web
domain categories are vulnerable to clickjacking attack.
7.3 Experiment 2: evaluation of advanced
clickjacking features
In this experiment, we examine the symptoms of advanced
clickjacking attacks (discussed in Sect. 3.1.1) by evaluat-
You click, I steal: analyzing and detecting click hijacking attacks in web pages

Table 9 Relevant features in visited web pages 100

Basic Features
Static Features
90 (S + D) Features
Page properties Reachable web(%) Alexa top(%) (S + D) Features + Heuristics
pages (48,920) (20,000) 80

X-frame protection 9.8 33 70

iframe usage 65 47.93 60

%
Hidden iframes 9.94 4.4 50
Overlapped elements 43.71 39.99
40
Movable elements 4.03 1.22
30
Nested DIVs 7.09 4.78
Hidden DIVs 2.5 1.76 20

Hidden textbox 3.49 0.61 10

Hidden cursor 0.02 1.62 0
True Positive False Positive
Pointer-event usage 7.09 2.05
z-index usage 9.01 6.71 Fig. 10 True positive and false positive metrics on applying basic, static
Hidden cross-domain links 18.39 12.73 + dynamic (S + D) features, static + dynamic (S + D) features +
heuristics on websites
Hidden clickable links 34.71 34.49

– Basic features These features consisted of hidden/-

Table 10 Newly identified advance (SVG-based) relevant features in transparent iframes and hidden/duplicate mouse pointer.
visited web pages These features can detect only basic clickjacking attacks.
Page properties using SVG Reachable web(%) Alexa top(%) – Proposed static features Sect. 3 discusses these features.
pages (48,920) (20,000) Here, we show how efficient are these features in detect-
SVG usage in wild 6 1 ing clickjacking attacks other than basic clickjacking.
Transparency using SVG 1.8 0.6
– Proposed static and dynamic features Sect. 3 dis-
cuss dynamic features. We combine static and dynamic
Link embedding using SVG 0.5 0
features to detect more advanced clickjacking attacks.
Pointer-event using SVG 0.8 0.2
Besides, combining both features reduces false positives.
Using script using SVG 0.3 0.7
– Combining static, dynamic features, and heuristics
We combine static and dynamic features with heuristics
to detect more advanced clickjacking attacks.
ing proposed prominent features in the websites. The goal
of this experiment is to understand the impact or nature of We tested these features for detecting clickjacking by visit-
novel clickjacking attack in these categories. We use the same ing 1000 websites that are tainted with clickjacking attack
method as of Experiment 1 to gather feature values and ana- and thousands of legitimate URLs from different cate-
lyze them for detecting clickjacking. gories. To test these three feature sets, we collected 1000
Table 10 illustrates the presence of novel features in the clickjacking websites from different sources. We combined
visited websites. The results show that 6% of entire visited different sources to obtain an initial list of URLs, such
websites use SVG-based images and filters, whereas only as, proof-of-concept examples published on the Internet;
1% of Alexa top 20,000 websites use this features. We also our implementation of different variants of web pages that
observe that the websites in both the categories use the alter- contained clickjacking attack; and few URLs from malware-
native method to hide web page elements. The alternative domains.com.
method includes the use of SVG-based method to embed We used a Firefox extension that we developed to gather
scripts, embed links in SVG images, etc. our results. Our extension takes a list of URLs from the data
set we prepared, loads each URL into a web browser pre-
installed as a browser extension. We customize the browser
7.4 Experiment 3: evaluation of clickjacking attack so that it can run our extension in the background, enabling
using proposed features automated grabbing of URLs from the list.
Figure 10 illustrates the detection results. In comparing
In this experiment, we evaluated how effective our adaptation basic features with our proposed static and dynamic features,
of clickjacking features was in detecting clickjacking attack we can see that basic clickjacking features are not able to
sites. Here, we assessed four different conditions: detect all clickjacking attacks types discussed in Sect. 3. The

123
 A. Saini et al.

Table 11 Impact of clickjacking attack for each dataset

Web pages Visited URLs (40,000) Alexa URLs (20,000) Malicious URLs (10,000) Phishing URLs (8000)

Reachable 35,192 20,000 9529 4199

Legitimate 33,114 19,468 6747 3177
Suspicious 2078 532 2782 989

100
percentage of true positives with basic features is low (90%). Suspicious URLs
Suspicious Alexa URLs
The percentage of false positives, in this case, is very high 90 Suspicious Malicious URLs
Suspicious Phishing URLs
(29.22%) because it labels a website as clickjacking by hid- 80
den elements or hidden mouse cursor that may be used in 70
legitimate websites also. On the other hand, if we use our
60
proposed static features, the true positives are 91%, and false

%
positives are 14%. The reason for high false positives with 50

static features is because these features do not monitor the 40

response to clicks. It only checks whether a web page con- 30
tains symptoms of clickjacking by feature values obtained
20
from website source code. The percentage true positive and
false positive when we use static features and dynamic fea- 10

tures is 92.22% and 7% respectively. Since dynamic features 0

analyzes the response of a click, the percentage of false pos-
itives on combining static and dynamic features is reduced
to 7%.
To further reduce the false positives, we developed a suite
of heuristics and ran another study to determine the best way
of combining these heuristics to reduce false positives while
not significantly impacting true positives. Section 5 describes
the heuristics. In comparing static + dynamic features to
static + dynamic features + heuristics, we can see that using
the heuristics with our proposed features can significantly
reduce the false positives percentage (from 7 to 0.28%).
Moreover, there is an improvement true positive percentage
(from 92.22 to 98.78%). This improvement in accuracy is due
to adding heuristics derived from clickjacking attack exam-
ples presented in published work as the proof-of-concept.
Thus, the static + dynamic features + heuristics seems to be
the best method for detecting clickjacking websites.
7.5 Experiment 4: evaluation of clickjacking impact
in web pages
In our efforts to understand how clickjacking attack impacts
various categories of websites, we conduct this experiment
in three phases.
– Phase-I In this phase, we first apply our detection model
to separate suspicious websites from legitimate working
(or reachable) websites. The legitimate websites do not
contain any symptoms of clickjacking attack, whereas
suspicious websites are further explored for clickjacking
warning and attack alerts. Table 11 illustrates, for each
Warning Alerts Attack Alerts
Fig. 11 Breakdown of the warning and attack percentage for Warning
and Attack alerts % for suspicious web pages
dataset category, the number of legitimate and suspicious
websites.
– Phase-II In this phase, we further explore suspicious
websites for clickjacking attacks. If a suspicious web-
site does not satisfy any heuristics, our detection model
generates a warning alert. In case, suspicious website
satisfies one of the heuristics, and our detection model
generates an attack alert. Figure 11 illustrates, for suspi-
cious URLs from all datasets, the percentage of warning
and attack alerts generated by our model. We found that
for suspicious URLs present in four datasets, our model
produces 90.86% of warning alerts. The reason for such
response is because the web pages designed for promot-
ing advertisement contain hidden iframes, which targets
social networking websites to promote their brands on
social networks. It proves that the web page developers
use hidden or transparent content to confuse or to steal
user clicks. Furthermore, we found that 9.1% of websites
are prone to clickjacking attacks. These websites include
both traditional, and advanced clickjacking attacks.
– Phase-III In this phase, we compute the number of false
positives produced by our detection model. We reported
the percentage of false positives for every dataset. Exper-
iment 4 shows, on applying heuristics, how our detection
model reduces the number of false positives. Table 12
illustrates, for each dataset category, the number of false
positives produces by our detection model. The results

123
You click, I steal: analyzing and detecting click hijacking attacks in web pages
Table 12 Illustration of False Positives (FP)
Metric Visited URLs (40,000) Alexa URLs (20,000)
FP (%) 0.29 0.19
indicate that our approach not only detects new advanced
clickjacking attacks but also results in negligible false
positives.
7.6 Performance overhead
To prove that our proposed model for detection clickjacking
attack is practical, we evaluate the performance of our proto-
type solution. We measure the latency for loading a web page,
with or without our prototype solution, averaging over ten
runs. Our testing machine is equipped with Intel i7 processor
with 4 GB of RAM. Without even putting additional effort
on code optimization, we find that our average processing
delay is only 50 ms in the worst case. We observe negligible
delay with our EXTRACTOR module since it extracts all the
relevant web page features in parallel when a web page is
loading. The actual delay is involved in detection unit, where
the web page features match with the signature database to
take the decision. In general, during the experiments, we
did not observe any measurable amount of overhead that is
noticeable by the user, or effect on the browsing experience.
We believe that the delay could be further reduced with opti-
mized code, but this is not our focus in this paper.
7.7 Discussion
Our study observes that even a legitimate looking web-
site would sometimes be responsible for compromising the
browser with the clickjacking attack. The interesting point in
this analysis is that even a single click on the malicious page
can cause a serious privacy breach. The victim is completely
unaware of the click thief sitting in their browsers and do
not know that their clicks are at risk of conducting unwanted
business. We find the evidence that this attack mostly targets
social networking, mailing websites, and sometimes unse-
cured bank transactions.
False positives Our results show that around 0.28% of the
alerts raised during our experiments are a false alarm. Our
solution generates the false alarms because few legitimate
web pages often use hidden iframes or DIV tags. In par-
ticular, most of the false alarms generated by pop-ups that
dynamically appear in response to specific events, or by
advertisement banners placed on top of a scrollable page.
In both cases, the content of the advertisement was visible
to the user, but it confuses our detection method (because
the banner can contain clickable elements, either overlapped
Malicious URLs (10,000) Phishing URLs (8000)
0.18 0.58
with other clickable elements or enclosed within nested DIV
tag).
Nevertheless, note that by combining the static and
dynamic features along with heuristics, significantly reduces
the number of false positives. For example, if some legiti-
mate web page contains hidden iframe it cannot be called a
clickjacking attack page. But, if the same page is having hid-
den elements wrapped into anchor <a> tag, and overlapped
with iframe, then it might result in a clickjacking attack.
False negatives To estimate the false negative reported by our
detection model, we analyze 1000 malicious pages dataset
build from various sources. In particular, we design a set mali-
cious websites on our own to mimic clickjacking attacks. We
develop websites containing attack payloads from a0 −a11
(discussed in Sects. 2 and 3). We also collect malicious web
pages that reported clickjacking attacks. We apply our detec-
tion model on malicious page dataset. After analysis, we
find that our detection model successfully detected click-
jacking attacks in all malicious web pages, and had nil false
negative. In our model, we examined the recent clickjack-
ing attacks [5,6] and found that recently published attacks
are detectable by our method. Over the years, the attackers
have adopted various ways to create clickjacking attacks, but
still, they follow the traditionally hidden iframes as a primary
attack vector.
8 Related work
Mozilla Firefox browser developers are the first to report
the misuse of transparent, or hidden iframes in their bug
report [39]. However, the term clickjacking was first intro-
duced by Hanssen and Grossman in 2008 [2]. The early
clickjacking attacks completely focused on unsafe iframe-
based web pages. Hansen has presented several attack vectors
and proof-of-concepts for clickjacking attack [2].
In [40], Barth et al. have explored the unsafe use of
iframes in the web page, analyzed the frame navigation poli-
cies, and advocated a stricter policy to prevent attacks. The
attackers are constantly looking for exceptions and vulner-
abilities in the browser. For instance, the browser bugs had
employed the unsafe frame communication to circumvent
the same-origin policy [41] checks with the aim of stealing
or modifying sensitive user information. The major research
focuses on detection and mitigation of iframe-based click-
jacking attacks. The clickjacking attack is not limited to the
use of invisible iframes, but can be run in a variety of different
123

ways. Apart from iframe-based attacks, we also discovered
some new attack classes and implemented attack signatures
from these categories.
In a recent work on clickjacking, the author discovered
two new clickjacking attacks and claimed the defensive
mechanism [5]. This work presented the proof-of-concept
for fake pointer attack and peripheral vision attacks. The
authors proposed the defensive mechanics called ChromePic,
which correctly captured the two newly discovered attacks.
ChromePic takes screenshots synchronously with user inputs
and analyze them for suspicious events. In addition to this,
ChromePic monitors the page DOM for cursor:none and hid-
den iframes for identifying the fake pointer. Our proposed
attacks are different from these attacks. They do not use any of
the traditional method of clickjacking attacks. We use SVG-
based filters to create the hidden or transparent effects, which
is difficult to capture by ChromePic. In [6],the author pre-
sented the traditional clickjacking attacks based on iframes,
hidden layers, fake cursors, etc., and suggested the defensive
techniques to circumvent the clickjacking Attacks.
Recently, the clickjacking attack has been moved toward
Android applications. The researchers have done significant
work on clickjacking attacks on Android apps. App-based
user-interface (UI) attacks pose an increasing threat to smart-
phone [42,43]. Clickjacking attack exploits a race condition
and uses a newly discovered IPC side-channel to app-based
user-interface (UI) attacks pose an increasing threat to smart-
phone users. The secure defense against UI deception is
discussed in [44]. The primary challenge is ensuring the
temporal integrity of the security indicator in a seamless and
correct way. In contrast to our attacks, the Android apps
use different APIs altogether to create clickjacking attacks
on Mobile platform, which is currently not detectable by
our approach. But, if we include Android app-based features
in our approach, we will be able to discover the clickjack-
ing attacks on Android platform as well. We will improve
our approach in future by making platform independent
approach.
8.1 Current defenses against clickjacking
There are several proposals for clickjacking defense and
countermeasures. The browser offers same-origin policy [41]
to tackle cross-domain communication between web pages.
But, it fails to stop any of the clickjacking attacks reported
in the literature. As a result, the author’s proposed anti-
clickjacking defense techniques (Zalewski [7] suggested
many of such ideas), and some are deployed by browsers
as follows.
– Web-key authentication The web-key authentication
scheme proposed in [45] uses unguessable secrets in
URLs instead of cookies for authentication. This approach
123
A. Saini et al.
can mitigate confused Social Engineering attacks such
as clickjacking and CSRF [21]. Unfortunately, this
approach degrades the user experience and the benefits
a web page get from cookies [46]. It also requires the
server-side modification to handle the new unguessable
secret. In contrast to this, our approach does not need
any server-side modification and it compatible with the
current web pages.
– User confirmation and UI randomization In [10], the
author, presented a client-side defense to prevent click-
jacking attack. In this, for every out-of-context click,
the system would generate a confirmation dialog for
end users. Facebook currently deploys this approach for
the “like” button, asking for confirmation whenever a
request comes from blacklisted domains. Unfortunately,
this approach degrades the user experience, especially
on single-click buttons. Another technique is to protect
a target element by randomizing the UI (GUI element)
layout of a legitimate web page. Thus, an attacker page
failed to create an exact overlap with the legitimate web
page.
– Detecting frame overlays The authors had proposed the
client-side solutions to detect frame overlays. One of
the solution in which a module is integrated in Noscript
Firefox extension [33]. The clear- Click module aims
for clickjacking protection by extending the browser’s
functionality to detect malicious clicks. ClearClick mon-
itors every click on the web page, which occurs during
user interaction on framed web sites of different origin.
Once a user attempts to click a link on a framed web-
site that appears to be the victim of obfuscation attempts
from its parent and cross-origin document, the interac-
tion is blocked. However, the researchers have proposed
the methods to circumvent the clearClick protection [47].
Balduzzi et al. [24] develop the ClickIDS Firefox exten-
sion. It compares the bitmap of the clicked object on a
given web page to the bitmap of that object rendered
in isolation (e.g., without transparency inherited from a
malicious parent element). It alerts users when the clicked
element overlaps with other clickable elements. Unfor-
tunately, ClickIDS cannot detect attacks based on partial
overlays or cropping. In contrast to these frame over-
lays solutions, our approach enables a robust handling
because our approach considers the complete or partial
overlapping of every web page element, which is gener-
ating a click event.
– Framebusting A more effective defense is framebusting
that avoids the unauthorized frames from being ren-
dered in iframes. Framebusting can be achieved by using
a small snippet of JavaScript code in the target ele-
ment, which first checks if the page that contains the
script is currently framed [26]. Other methods to deploy
framebusting are by using X-Frame-Options [26,48] and
You click, I steal: analyzing and detecting click hijacking attacks in web pages
CSP’s frame-ancestors [41]. In [49], the author pre-
sented complementary X-Frame-Options defense
technique. This technique differs from [26] techniques
by instead inferring programmer intentions (i.e., frame
busting code). It rather prevents the page from being
framed in the web page. The authors have also presented
the forensics techniques to check clickjacking attacks.
In [50], the author has presented a technique that regu-
larly creates checkpoints and records non-deterministic
factors in system-wide execution, such as packets from
remote sites, inputs from users, and hardware signals so
that the whole system can be replayed from a checkpoint.
A fundamental limitation of framebusting is its incompat-
ibility with target elements that are intended to be framed
by arbitrary third-party sites, such as Facebook “like”
buttons. Also, if JavaScript is blocked by means such
as Noscript, XSSfilter [18], then this framebusting code
does not work.
All the defense mechanisms are focused on clickjacking
attacks crafted using frame/iframes. However, an attacker
can craft more advanced attacks, such as SVG-based attacks,
event bubbling, (Cascading Style Sheets) CSS-based attacks.
In contrast to the approaches that examine the basic click-
jacking attacks in websites, the focus of our work is for the
detection of novel advanced types of clickjacking attacks. To
the best of our knowledge, this is the first work investigat-
ing these novel clickjacking attacks. Our study provides an
insight into the current prevalence of SVG-based clickjack-
ing attempts on the web pages.
9 Conclusions and future work
In this paper, we identify new variants of clickjacking attacks
using SVG-based filters and images. We demonstrate that
current clickjacking detection techniques fail to discover
these newly identified variants of clickjacking attacks. We
analyze to emphasize that there is a requirement for improved
detection within the browser to defend against emerging
threats originated from CSS, SVG, and iframes-based click-
jacking attacks.
On the basis of our experimental analysis, we proposed a
novel approach for the detection and analysis of clickjacking
attacks including advanced SVG-based attacks. The method
has been illustrated using the behavioral model in term of
Finite State Automaton (FSA) to analyze different behav-
iors (responses) concerning user clicks (requests) on the web
pages. We evaluate our proposed method with a sample set
of 78,000 web pages including both malicious and legiti-
mate web pages. The results of the evaluation illustrate that
our approach not only detects novel SVG-based clickjacking
attacks but also results in negligible false positives of 0.28%
and nil false negative. Finally, we show that current click-
jacking attack detection tools and techniques are not able to
provide a complete solution against newly identified variants
of clickjacking attacks. Also, our detection model provides
an improved solution against all types of clickjacking attacks.
Future work will extend the techniques to improve the
detection of other variants of clickjacking attacks. We plan
to implement a browser extension that can use the character-
ization learned by our approach to block clickjacking attacks
in real-time proactively. Also, we explore the clickjacking
features in Android apps and make our approach to detect
clickjacking in Android apps.
Acknowledgements Mauro Conti is supported by a Marie Curie Fel-
lowship funded by the European Commission under the agreement n.
PCIG11-GA-2012-321980. This work has been partially supported by
the TENACE PRIN Project funded by the Italian MIUR (20103P34XC),
and by the Project “Tackling Mobile Malware with Innovative Machine
Learning Techniques” funded by the University of Padua.
References
1. Grossman, J.: Clickjacking-owasp appsec talk (2008). http://blog.
jeremiahgrossman.com/2008/09/cancelled-clickjackingowasp-
appsec.html. Accessed 12 Mar 2016
2. Hansen, R., Grossman, J.: Clickjacking (2008)
3. Niemietz, M.: Ui redressing: attacks and countermeasures revis-
ited. In: CONFidence, 2011 (2011)
4. Stone, P.: Next generation clickjacking. media. blackhat. com/bh-
eu-10/presentations. In: Stone/BlackHat-EU-2010-Stone-Next-
Generation-Clickjacking-slides.pdf 3 (2010)
5. Vadrevu, P., Liu, J., Li, B., Rahbarinia, B., Lee, K.H., Perdisci, R.:
Enabling reconstruction of attacks on users via efficient browsing
snapshots (2017)
6. Selim, H., Tayeb, S., Kim, Y., Zhan, J., Pirouz, M.: Vulnerability
analysis of iframe attacks on websites. In: Proceedings of the The
3rd Multidisciplinary International Social Networks Conference
on SocialInformatics 2016, Data Science 2016, p. 45. ACM (2016)
7. Zalewski, M.: Dealing with ui redress vulnerabilities inher-
ent to the current web (2009). http://lists.whatwg.org/pipermail/
whatwgwhatwg.org/2008-September/016284.html. Accessed 6
Aug 2014
8. Zalewski, M.: Strokejacking (2010). http://seclists.org/
fulldisclosure/2010/Mar/232. Accessed 11 Nov 2014
9. Bordi, E.: Proof of concept-cursorjacking (2010)
10. Huang, L.-S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.:
Clickjacking: Attacks and Defenses. In: USENIX Security Sym-
posium, pp. 413–428 (2012)
11. Vasile C., HTML5 Introduction-What is HTML5 Capable of, Fea-
tures, and Resources.In: MJ Burns, Producer, & 1stWebDesigner
Ltd) Retrieved May 28 (2012): 2013
12. Lynch, P., Horton, S.: Yale C/Aim Web Style Guide. Yale Center
for Advanced Instructional Media, Yale (1997)
13. Ferraiolo, J., Jun, F., Jackson, D.: Scalable Vector Graphics (SVG)
10 Specification. iUniverse, Bloomington (2000)
14. Eisenberg, J.D.: SVG Essentials: Producing Scalable Vector
Graphics with XML. O’Reilly Media Inc., Newton (2002)
15. Watt, A.: SVG Unleashed. Pearson Education, London (2002)
16. Ayars, J., Bulterman, D., Cohen, A., Day, K., Hodge, E., Hoschka,
P., Hyche, E., Jourdan, M., Kim, M., Kubota, K., et al.: Synchro-
123

nized multimedia integration language (smil 2.0). World Wide Web
Consort. Recomm. 7, 514 (2001)
17. Mozilla Developer Network. Gecko (2011)
18. XSS Filter Evasion Cheat Sheet: Retrieved June 20, 2013 from The
Open Web Application Security Project. https://www.owasp.org/
index.php (2013)
19. Johari, R., Sharma, P.: A survey on web application vulnerabilities
(sqlia, xss) exploitation and security engine for sql injection. In:
2012 International Conference on Communication Systems and
Network Technologies (CSNT), pp. 453–458. IEEE (2012)
20. Lerner, B.S., Carroll, M.J., Kimmel, D.P., La Vallee, H.Q.-D.,
Krishnamurthi, S.: Modeling and reasoning about dom events. In:
Proceedings of the 3rd USENIX Conference on Web Application
Development, pp. 1–1. USENIX Association (2012)
21. Blatz, J.: Csrf: Attack and Defense. McAfee® Foundstone® Pro-
fessional Services, White Paper (2007)
22. Kim, S.H., Lee, S.H., Jin, S.H.: Active phishing attack and its coun-
termeasures. Electron. Telecommun. Trends 28(3), 9–18 (2013)
23. Kaplan, R.M., Martin, K., John, M. Finite state machine data
storage where data transition is accomplished without the use of
pointers. U.S. Patent 5,450,598 (1995)
24. Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A
solution for the automated detection of clickjacking attacks. In:
Proceedings of the 5th ACM Symposium on Information, Com-
puter and Communications Security, pp. 135–144. ACM (2010)
25. Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the
fragility and limitations of current browser-provided clickjacking
protection schemes. In: WOOT, pp. 53–63 (2012)
26. Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame
busting: a study of clickjacking vulnerabilities at popular sites.
IEEE Oakl. Web 2, 6 (2010)
27. Nepomnyashy, M.: Protecting Applications Against Clickjacking
with F5 LTM. SANS Institute InfoSec Reading Room (2013)
28. Shahriar, H., Devendran, V.K., Haddad, H.: Proclick: a framework
for testing clickjacking attacks in web applications. In: Proceedings
of the 6th International Conference on Security of Information and
Networks, pp. 144–151. ACM (2013)
29. Aharonovsky, G.: Malicious camera spying using clickjacking
(2008)
30. Shamsi, J.A., Hameed, S., Rahman, W., Zuberi, F., Altaf, K.,
Amjad, A.: Clicksafe: providing security against clickjacking
attacks. In: 2014 IEEE 15th International Symposium on High-
Assurance Systems Engineering (HASE), pp. 206–210. IEEE
(2014)
31. Clickjacking defense cheatsheet: https://www.owasp.org/index.
php/Clickjacking_Defense_Cheat_Sheet. Accessed 15 Oct 2017
32. Aboukhadijeh, F.: How to: spy on the webcams of your website
visitors (2011)
33. Maone, G. NoScript Firefox Extension. [software] (2006)
34. Marini, J.: Document Object Model. McGraw-Hill Inc., New York
(2002)
123
A. Saini et al.
35. Bibeault, B., Kats, Y.: jQuery in Action. Dreamtech Press, New
Delhi (2008)
36. Alexa internet, inc. alexa - top sites by category: (2014). http://
www.alexa.com/topsites/category/Top/. Accessed 24 Dec 2014
37. Malware domain list: (2014). http://www.malwaredomainlist.
com/. Accessed 24 Dec 2014
38. Phishtank domain list: (2014). http://www.phishtank.com/.
Accessed 24 Dec 2014
39. Mozilla foundation: (2013). https://bugzilla.mozilla.org/show_
bug.cgi?id=154957. Accessed 24 Dec 2014
40. Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communica-
tion in browsers. Commun. ACM 52(6), 83–91 (2009)
41. Zalewski, M.: Browser security handbook. Google Code (2010)
42. Chebyshev, V., Unuchek, R.: Mobile malware evolution: 2013.
Kaspersky Lab ZAOs SecureList 24, 15347 (2014)
43. Unuchek, R.: Svpeng android malware targets google play
with fake credit card window. http://securelist.com/blog/incidents/
63746/latestversion-of-svpengtargets-users-in-us/. Accessed Nov
2017
44. Fernandes, E., Chen, Q.A., Paupore, J., Essl, G., Halderman, J.A.,
Mao, Z.M., Prakash, A.: Android ui deception revisited: Attacks
and defenses. In: International Conference on Financial Cryptog-
raphy and Data Security, pp. 41–59. Springer (2016)
45. Close, T.: Web-key: mashing with permission. In: Proceedings of
Web, vol. 2. Citeseer (2008)
46. Kristol, D.M.: Http cookies: standards, privacy, and politics. ACM
Trans. Internet Technol. (TOIT) 1(2), 151–198 (2001)
47. Kotowicz, K.: Cursorjacking again (2012). http://blog.kotowicz.
net/2012/01/cursorjacking-again.html. Accessed 6 Sept 2014
48. Ross, D., Gondrom, T.: Http header field x-frame-options (2013)
49. Tang, S., Dautenhahn, N., King, S.T.: Fortifying web-based appli-
cations automatically. In: Proceedings of the 18th ACM Conference
on Computer and Communications Security, pp. 615–626. ACM
(2011)
50. Chandra, R., Kim, T., Shah, M., Narula, N., Zeldovich, N.: Intrusion
recovery for database-backed web applications. In: Proceedings of
the Twenty-Third ACM Symposium on Operating Systems Princi-
ples, pp. 101–114. ACM (2011)
Publisher’s Note Springer Nature remains neutral with regard to juris-
dictional claims in published maps and institutional affiliations.