Is it possible to steal the source code through clickjacking, so that attacker can also steal the CSRF tokens?
This is a demo attack website:
<!DOCTYPE html>
<html>
</div>
<div draggable="true" ondragstart="test();">
<h3>DRAG ME!!</h3>
<script>
function test(){
var v1 = document.createElement('iframe');
v1.src = "http://demo.testfire.net/search.aspx?txtSearch="
v1.setAttribute("style", "opacity:0.5");
v1.setAttribute("border", "0");
v1.setAttribute("scrolling", "0");
v1.setAttribute("id", "pi");
document.body.appendChild(v1);
document.getElementById("pi").onload =function(){
alert(this.responseText);
}
}
</script>
</html>
Now as you can see I am trying to steal the source code with the help of an alert box. But I didn't succeed in that.
What am I missing here?