This type of attack requires an attacker to use javascript. Attacker insists a user perform an undesired action by clicking on a concealed link. The attacker loads another page on it in a transparent layer.

                                                                                                OR

The attacker hijacks the click event of their page and routing them to another page.

<HTML>

                <head>

                                <title>click</title>

                </head>

                <body>

                <p>website vulnerable clickjacking</p>

                <iframe src=”url” width=”500” height=”500”></iframe>

                </body>

</HTML>

Defend:-

Use clear click functionality in No script. You can use the relaxed setting but make sure you can enable the clear click. This prevents the clickjacking attacks.

Server-side: Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers

The two most popular are X-Frame-Options: Deny and X-Frame-Options: SameOrigin.

Client-side: Most commonly use frame busting code typically consists of a "conditional statement" and a "counter-action" statement. The aim of this technique is to prevent a site from functioning when it is loaded inside a frame.