hereI've just added a nice ClickJacking example.
The page seems to be a normal HTML page, no Javascript and Flash scripts are embedded, even a smart user may think that everything is legal but an attacker can still steal clicks doing whatever he wants. In other words the attacker tricks the user to clink in something she cannot see by clicking in something she can see. This fraud is possible through three easy steps which every web developer should know. The first one is to load the malicious page on background through an ”iframe” where he sets properly the CSS opacity value at 0. This makes the iframe content invisible. The next step is to create an artificial web page which fits perfectly with the underground one. If the created page doesn’t fit properly on the backgrounded one, the mouse cursor might change going out to the iframe, alerting the user that something wrong is happening. As last step the attacker makes an HTML element that wants to get clicks, putting it on the hidden link and setting the CSS z-index property to be behind the invisible iframe.
(http://deisnet.deis.unibo.it/CJK/)
