--- name: clickjacking description: >- Clickjacking playbook. Use when testing whether target pages can be framed, whether X-Frame-Options or CSP frame-ancestors are properly configured, and whether UI redress attacks can trigger sensitive actions. --- # SKILL: Clickjacking — Expert Attack Playbook > **AI LOAD INSTRUCTION**: Clickjacking (UI redress) techniques. Covers iframe transparency tricks, X-Frame-Options bypass, CSP frame-ancestors, multi-step clickjacking, drag-and-drop attacks, and chaining with other vulnerabilities. Often a "low severity" finding that becomes critical when targeting admin actions. ## 1. CORE CONCEPT Clickjacking loads a target page in a transparent iframe overlaid on an attacker's page. The victim sees the attacker's UI but clicks on the invisible target page, performing unintended actions. ```html

``` --- ## 2. DETECTION — IS THE PAGE FRAMEABLE? ### Check X-Frame-Options Header ``` X-Frame-Options: DENY → cannot be framed (secure) X-Frame-Options: SAMEORIGIN → only same-origin framing (secure for cross-origin) X-Frame-Options: ALLOW-FROM uri → deprecated, browser support inconsistent (header absent) → frameable! (vulnerable) ``` ### Check CSP frame-ancestors ``` Content-Security-Policy: frame-ancestors 'none' → cannot be framed Content-Security-Policy: frame-ancestors 'self' → same-origin only Content-Security-Policy: frame-ancestors https://a.com → specific origin (directive absent) → frameable ``` **CSP frame-ancestors supersedes X-Frame-Options** in modern browsers. ### Quick PoC Test ```html ``` If the page loads in the iframe → frameable → potentially vulnerable. ### JavaScript Frame Detection (from target page source) ```javascript // Common frame-busting code found in target pages: if (top.location.hostname !== self.location.hostname) { top.location.href = self.location.href; } ``` If this code is present but not using CSP `frame-ancestors`, it can often be bypassed. --- ## 3. PROOF OF CONCEPT TEMPLATES ### Basic Single-Click ```html Free Prize

Click the button to claim your prize!

``` ### Multi-Step Clickjacking For actions requiring multiple clicks (e.g., "Are you sure?" confirmation): ```html

``` Reposition iframe for each step to align the transparent button with the decoy. ### Drag-and-Drop Clickjacking Extract data from one iframe to another using HTML5 drag-and-drop events — the victim drags across invisible iframes, transferring tokens or data. --- ## 4. BYPASS TECHNIQUES ### Frame-Busting Script Bypass Some pages use JavaScript frame-busting: ```javascript if (top !== self) { top.location = self.location; } ``` **Bypass with sandbox attribute**: ```html ``` ### X-Frame-Options ALLOW-FROM Bypass `ALLOW-FROM` is not supported in Chrome/Safari. If the server relies solely on `ALLOW-FROM`, modern browsers ignore it → page is frameable. ### Double-Framing If `X-Frame-Options: SAMEORIGIN` is set, but a same-origin page exists that can be framed (without XFO), use that page as an intermediary to frame the target. --- ## 5. HIGH-IMPACT TARGETS ```text Account deletion page Email/password change form Admin panel actions (add user, change role) Payment confirmation OAuth authorization ("Allow" button) Two-factor authentication disable API key generation Webhook configuration ``` --- ## 6. TESTING CHECKLIST ``` □ Check X-Frame-Options header on sensitive pages □ Check CSP frame-ancestors directive □ Create iframe PoC and verify page loads □ Test frame-busting scripts — try sandbox attribute bypass □ Identify high-value single-click actions □ For multi-step actions, build multi-click PoC □ Test both authenticated and unauthenticated pages □ Verify ALLOW-FROM behavior across browsers ```