This short chapter explores clickjacking and wraps up the book. The term clickjacking is a blend of the words click and hijacking. Clickjacking is initiated by luring the victim to a malicious web page. The victim is then baited into clicking a harmless looking link or button. The click event is hijacked by the attacker and propagated to a different UI control from another site. The victim may think they are about to win an iPhone, but they are actually sending a request to another site they previously logged in to. The state change of this unintentional request is the attacker’s motive.
Suppose Charlie has just finished charlie.mil, a top-secret website for high-ranking military officials. This site serves the web page in listing 18.1, launch-missile.html. As the name indicates, this page enables military officials to launch missiles. Charlie has taken all of the necessary precautions to ensure that only authorized personnel can access and use this form.