Clickjacking is best described as which of the following?

• A. A form of social engineering that manipulates how a user interacts with a page
• B. A vulnerability that allows SQL injection
• C. An attack that tricks a user into clicking on a webpage element which is invisible or disguised as another element
• D. A method to bypass two-factor authentication

Answer: (C)

Clickjacking hinges on deceiving how a user interacts with a page by layering hidden or disguised elements over legitimate controls. In this attack, the attacker places an invisible or visually altered element (often via an overlay or an iframe) so that when the user thinks they’re clicking a harmless button or link, they are actually clicking a different, hidden element that performs an action on a target site. The user’s intent is hijacked because the visible UI makes them believe they’re interacting with one thing, while the background element carries out something else. This description fits precisely because the essence is manipulating where a click ends up by masking or overlaying UI elements. It’s not about injecting SQL or bypassing two-factor authentication, and while social engineering can accompany web exploits, the defining mechanism here is the overlay/hidden element trick that redirects user input. To defend, sites can use headers and policies to prevent framing (like frame-ancestors) and implement re-authentication or additional confirmations for sensitive actions to ensure user intent is clear.