Clickjacking

Theory

Lots of websites allow to browsers to render them in a <frame>, <iframe>, <embed> or <object>. This allows attackers to "load" the website in a transparent layer and trick users into thinking they are browsing the legitimate website. This allows attackers to "hijack" their clicks and make them do something else (Twitter worm, Facebook likes).
โ€‹HTTP security headers like XFO (X-Frame-Options) and CSP (Content-Security-Policy) mitigate clickjacking attacks.

Practice

(left) vulnerable | not vulnerable (right)
The following HTML code can be used in a browser to attempt a clickjacking on a target URL.
clickjacking.html
1
<html>
2
<head>
3
<title>Clickjacking / framing test</title>
4
โ€‹</head>
5
<body>
6
<h1>Test a page for clickjacking/framing vulnerability</h1>
7
<p>Enter the URL to frame:</p>
8
<input id="url" type="text" value="http://TARGET.com"></input>
9
<button id="submit-test" onclick='document.getElementById("iframe").src=document.getElementById("url").value'>Test it!</button>
10
<br />
11
<br />
12
<hr>
13
<br />
14
<iframe src="about:blank" id="iframe" width="100%" height="75%"></iframe>
15
</body>
16
</html>
Copied!

Resources

Clickjacking | OWASP Foundation
Copy link