Clickjacking is best described as which of the following?

Clickjacking hinges on deceiving how a user interacts with a page by layering hidden or disguised elements over legitimate controls. In this attack, the attacker places an invisible or visually altered element (often via an overlay or an iframe) so that when the user thinks they’re clicking a harmless button or link, they are actually clicking a different, hidden element that performs an action on a target site. The user’s intent is hijacked because the visible UI makes them believe they’re interacting with one thing, while the background element carries out something else. This description fits precisely because the essence is manipulating where a click ends up by masking or overlaying UI elements. It’s not about injecting SQL or bypassing two-factor authentication, and while social engineering can accompany web exploits, the defining mechanism here is the overlay/hidden element trick that redirects user input. To defend, sites can use headers and policies to prevent framing (like frame-ancestors) and implement re-authentication or additional confirmations for sensitive actions to ensure user intent is clear.