Clickjacking
Last updated
Last updated
Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. This can cause users to unwittingly download malware, visit malicious web pages, provide credentials or sensitive information, transfer money, or purchase products online.
X-Frame-Options and Content Security Policy (CSP) are used to prevent this type of attacks. Identify them in .
If you have identified an XSS attack that requires a user to click on some element to trigger the XSS and the page is vulnerable to clickjacking, you could abuse it to trick the user into clicking the button/link.
Test all the clickable parameters of the target website to determine if clickjacking is posible.
To set up the tool:
Intercept > Open browser
Burp menu > Burp Clickbandit
Copy Clickbandit to clipboard
Open burp browser, visit the victim, then, open developer tools
Paste the Clickbandit script into the developer console, and press enter.
Now, to run the attack:
Click Start
Click around the site, mimicking the actions that a victim user might perform.
Click Finish
To avoid frame busters, select Sandbox iframe. This adds the sandbox attribute to the iframe.