Clickjacking

Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.

https://swisskyrepo.github.io/PayloadsAllTheThings/Clickjacking/

X-Frame-Options and Content Security Policy (CSP) are used to prevent this type of attacks. Identify them in Fingerprinting section.

- XSS + Clickjacking

If you have identified an XSS attack that requires a user to click on some element to trigger the XSS and the page is vulnerable to clickjacking, you could abuse it to trick the user into clicking the button/link.

- Burp Clickbandit

Test all the clickable parameters of the target website to determine if clickjacking is posible.

To set up the tool:

• Intercept > Open browser

• Burp menu > Burp Clickbandit

• Copy Clickbandit to clipboard

• Open burp browser, visit the victim, then, open developer tools

• Paste the Clickbandit script into the developer console, and press enter.

Now, to run the attack:

• Click Start

• Click around the site, mimicking the actions that a victim user might perform.

• Click Finish

To avoid frame busters, select Sandbox iframe. This adds the sandbox attribute to the iframe.