Add tests to 4.12.9 Testing for Clickjacking

[victoriadrake]

The current document describes clickjacking defenses from the title "Client side protection: Frame Busting" onward. Much of the content also appears in OWASP Clickjacking Defense Cheat Sheet.

There is a "proof of concept" described later in the text, but no specific testing instructions. I believe the portion of the document from the title "Client side protection: Frame Busting" onward should be rewritten without defense recommendations (out of scope of the testing guide) and with specific testing instructions.

[Hsiang-Chih]

"4.12.9 Testing for Clickjacking"
For the testing instructions, I think, it was provided. i.e. below.
Do you mean instead of the whole section description, it's suggested to list step 1, step 2....?

Suggested Tests
Step 1: Create a HTML "ClickJacking.html" with your target testing website as below.

<iframe src="http://www.target.site" width="500" height="500"></iframe>

Step 2: Use Browser to open the "ClickJacking.html"
Step 3: Review if the target website can be shown in the HTML "ClickJacking.html"
If the target website can be shown in the "ClickJacking.html", then the target website is vulnerable to clickJacking.

Original Text

<title>Clickjack test page</title> <iframe src="http://www.target.site" width="500" height="500"></iframe>

If the http://www.target.site page is successfully loaded into the frame, then the site is vulnerable and has no type of protection against clickjacking attacks.