Clickjacking vulnerabilities in websites: evolution, detection and analysis through a browser extension tool
Gamage, Nethmi (2025)
2025
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2025121837821
https://urn.fi/URN:NBN:fi:amk-2025121837821
Tiivistelmä
Clickjacking, also known as User Interface (UI) redressing, is a web security vulnerability in
which users are tricked into interacting with hidden interface elements, leading to unintended
actions. Although modern browsers have developed mechanisms to control framing
behaviour, websites remain exposed due to absent or incorrectly configured protections. The
objective of this thesis was to investigate the current state of clickjacking defences and to
develop a practical tool capable of automatically detecting the presence and strength of
framing protection on websites.
The study is based on the cybersecurity standards and browser policy models that are
outlined by the OWASP and the World Wide Web Consortium (W3C). It combines a literature
review of existing anti-framing techniques with the implementation of a browser-based
detection tool. The extension analyses HTTP response headers, identifies framing-control
directives, and classifies protection levels. Its functionality was evaluated through functional
testing and an empirical analysis of the Tranco Top 100 websites (October 2025) to observe
real-world deployment practices.
The findings show that despite the wide prevalence of high-ranking websites having some
sort of framing control in place, there remains a considerable gap in effectiveness. The
developed tool was effective in these gaps and significantly reduced the time required for
manual inspection. The results are useful to the commissioning organization since they offer
the organization a lightweight and automated way to assist in their vulnerability assessment
process and to gain understanding of current trends that can be used to inform future
research and security enhancements.
which users are tricked into interacting with hidden interface elements, leading to unintended
actions. Although modern browsers have developed mechanisms to control framing
behaviour, websites remain exposed due to absent or incorrectly configured protections. The
objective of this thesis was to investigate the current state of clickjacking defences and to
develop a practical tool capable of automatically detecting the presence and strength of
framing protection on websites.
The study is based on the cybersecurity standards and browser policy models that are
outlined by the OWASP and the World Wide Web Consortium (W3C). It combines a literature
review of existing anti-framing techniques with the implementation of a browser-based
detection tool. The extension analyses HTTP response headers, identifies framing-control
directives, and classifies protection levels. Its functionality was evaluated through functional
testing and an empirical analysis of the Tranco Top 100 websites (October 2025) to observe
real-world deployment practices.
The findings show that despite the wide prevalence of high-ranking websites having some
sort of framing control in place, there remains a considerable gap in effectiveness. The
developed tool was effective in these gaps and significantly reduced the time required for
manual inspection. The results are useful to the commissioning organization since they offer
the organization a lightweight and automated way to assist in their vulnerability assessment
process and to gain understanding of current trends that can be used to inform future
research and security enhancements.