AppSecExplained
  • Index < START HERE
    • My courses
    • How to get started from zero
  • 📽️Live Stream Content
    • Resource of the week
  • Discovery / Recon
    • Methodology
    • Content discovery / recon
      • Subdomains
      • Endpoints
      • Parameters
      • Spidering
  • Common vulns
    • SQL injection overview
      • Detection
      • Blind SQLi
      • Second-order SQLi
      • SQLi lab setup & writeups
    • NoSQL injection
    • JavaScript injection (XSS)
      • XSS Methodology
    • File Inclusion
      • Local file inclusion
        • Directory traversal
    • Command injection
    • XXE (XML external entity) injection
      • Blind XXE
    • Template injection
      • Server-side template injection
      • Client-side template injection
    • Authentication
      • Attacking password-based authentication
      • Attacking MFA
      • Authentication lab setup & writeups
    • Cross-Site Request Forgery (CSRF)
    • Insecure deserialization
      • PHP
      • Java
      • Python
      • .NET
    • Server-side request forgery (SSRF)
    • Insecure file upload
    • Clickjacking
    • Open redirect
    • Vulnerable components
    • Race conditions
      • Limit overrun
    • Prototype pollution
      • Client-side prototype pollution
    • APIs
      • API: BOLA
      • API: Broken authentication
      • BOPLA
      • API: BFLA
  • Bypassing controls
    • Rate limiting
    • WAF Bypasses
  • Scripts
    • Docker-compose.yml files
      • Wordpress
      • SQLi testing labs
    • PHP scripts
      • RCE Function Check
    • Wordlists
      • Single characters
      • SQLi
  • Code review
    • Getting started
    • Sinks
  • Links worth your time
    • Practical API Hacking
    • Rana Khalil's Web Security Academy Course
    • Portswigger's Web Security Academy
    • TCM Security Discord
    • PentesterLand Writeups
Powered by GitBook
On this page
  • What is it?
  • Checklist

Was this helpful?

  1. Common vulns

Clickjacking

What is it?

Clickjacking (also known as a "UI redress attack") involves tricking a user into clicking something different from what the user perceives, potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. This is achieved by manipulating the visibility and position of page elements.

A simple example

A malicious website embeds a transparent iframe of a legitimate website where a valuable action resides (like a "delete all" button). The attacker overlays the iframe with seemingly harmless UI - for example, a button that says "Click here to win a prize!". When a user clicks on this button, they unknowingly perform the action on the legitimate website.

Clickjacking can lead to:

  • Unwanted actions performed by the user

  • Disclosure of sensitive information

  • Potential Remote Code Execution (RCE) if combined with other vulnerabilities

Other learning resources:

  • OWASP: https://owasp.org/www-community/attacks/Clickjacking

  • PortSwigger: https://portswigger.net/web-security/clickjacking

Checklist

# Embed the target page in an iframe
<iframe src="http://target-site.com" style="opacity:0.1; position:relative; top:50px; left:50px;"></iframe>

# Overlay with malicious UI
<button style="position:relative; top:-50px; left:-50px;">Click me</button>
PreviousInsecure file uploadNextOpen redirect

Last updated 1 year ago

Was this helpful?